def _get_attr_image_nt_headers(self):
if self.__arch__ == 'x86':
image_nt_headers = wintypes.IMAGE_NT_HEADERS32()
else:
raise Exception('the selected architecture is not supported')
m_k32.ReadProcessMemory(self.handle, self.get_proc_attribute('image_nt_headers_addr'), ctypes.byref(image_nt_headers), ctypes.sizeof(image_nt_headers), 0)
return image_nt_headers
def _get_attr_peb_ldr_data(self):
peb_ldr_data_addr = self.get_proc_attribute('peb_ldr_data_addr')
peb_ldr_data = wintypes.PEB_LDR_DATA()
m_k32.ReadProcessMemory(self.handle, peb_ldr_data_addr,
ctypes.byref(peb_ldr_data),
ctypes.sizeof(peb_ldr_data), 0)
return peb_ldr_data
def read_memory(self, address, size=0x400):
_data = (ctypes.c_byte * size)
data = _data()
if (m_k32.ReadProcessMemory(self.handle, address, ctypes.byref(data),
ctypes.sizeof(data), 0) == 0):
raise WindowsProcessError('Error: ReadProcessMemory',
get_last_error=m_k32.GetLastError())
return ctarray_to_bytes(data)
def _get_attr_image_dos_header(self):
image_dos_header_addr = self.get_proc_attribute(
'image_dos_header_addr')
image_dos_header = wintypes.IMAGE_DOS_HEADER()
m_k32.ReadProcessMemory(self.handle, image_dos_header_addr,
ctypes.byref(image_dos_header),
ctypes.sizeof(image_dos_header), 0)
return image_dos_header
def _get_name_for_image_import_descriptor(self, iid):
image_dos_header_addr = self.get_proc_attribute('image_dos_header_addr')
_name = (ctypes.c_char * 0x400)
name = _name()
m_k32.ReadProcessMemory(self.handle, image_dos_header_addr + iid.Name, ctypes.byref(name), ctypes.sizeof(name), 0)
name = ''.join(name)
name = name.split('\x00')[0]
return name
def _get_name_for_ilt_entry(self, ilt_ent):
image_dos_header_addr = self.get_proc_attribute('image_dos_header_addr')
_name = (ctypes.c_char * 0x200)
name = _name()
m_k32.ReadProcessMemory(self.handle, image_dos_header_addr + ilt_ent + ctypes.sizeof(wintypes.WORD), ctypes.byref(name), ctypes.sizeof(name), 0)
name = ''.join(name)
name = name.split('\x00')[0]
return name
def _get_ilt_for_image_import_descriptor(self, iid): # import lookup table
image_dos_header_addr = self.get_proc_attribute(
'image_dos_header_addr')
_ilt = (ctypes.c_void_p * 0x200)
ilt = _ilt()
m_k32.ReadProcessMemory(self.handle,
image_dos_header_addr + iid.OriginalFirstThunk,
ctypes.byref(ilt), ctypes.sizeof(ilt), 0)
return ilt
def _get_attr_image_import_descriptor(self):
image_dos_header_addr = self.get_proc_attribute('image_dos_header_addr')
optional_header = self.get_proc_attribute('image_nt_headers').OptionalHeader
import_directory = optional_header.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]
_import_descriptors = wintypes.IMAGE_IMPORT_DESCRIPTOR * ((import_directory.Size / ctypes.sizeof(wintypes.IMAGE_IMPORT_DESCRIPTOR)) - 1)
import_descriptors = _import_descriptors()
m_k32.ReadProcessMemory(self.handle, image_dos_header_addr + import_directory.VirtualAddress, ctypes.byref(import_descriptors), ctypes.sizeof(import_descriptors), 0)
return import_descriptors
def _get_image_base_by_name(self, name):
peb_ldr_data = self.get_proc_attribute('peb_ldr_data')
firstFLink = 0
fLink = peb_ldr_data.InLoadOrderModuleList.Flink
while fLink != firstFLink:
firstFLink = peb_ldr_data.InLoadOrderModuleList.Flink
module = wintypes.LDR_MODULE()
m_k32.ReadProcessMemory(self.handle, fLink, ctypes.byref(module), ctypes.sizeof(module), 0)
_base_dll_name = (ctypes.c_wchar * module.BaseDllName.MaximumLength)
base_dll_name = _base_dll_name()
m_k32.ReadProcessMemory(self.handle, module.BaseDllName.Buffer, base_dll_name, module.BaseDllName.Length + 2, 0)
base_dll_name = base_dll_name[:(module.BaseDllName.Length / 2)]
if name == base_dll_name:
return module
fLink = module.InLoadOrderModuleList.Flink
return None
def _get_attr_peb(self):
peb_addr = self.get_proc_attribute('peb_addr')
peb = wintypes.PEB()
m_k32.ReadProcessMemory(self.handle, peb_addr, ctypes.byref(peb),
ctypes.sizeof(peb), 0)
return peb
