def _getExpandedCounterPaths(processName, counterName):
'''
Get list of expanded counter paths given a counter name. Returns a
list of strings or None, if no counter paths can be created
'''
pcchPathListLength = DWORD(0)
szWildCardPath = LPSTR('\\process(%s)\\%s' % (processName, counterName))
if pdh.PdhExpandCounterPathA(szWildCardPath, LPSTR(None),
pointer(pcchPathListLength)) != _PDH_MORE_DATA:
return None
pathListLength = pcchPathListLength.value
szExpandedPathList = LPCSTR('\0' * pathListLength)
if pdh.PdhExpandCounterPathA(szWildCardPath, szExpandedPathList,
pointer(pcchPathListLength)) != 0:
return None
buffer = create_string_buffer(pcchPathListLength.value)
memmove(buffer, szExpandedPathList, pcchPathListLength.value)
paths = []
i=0
path = ''
for j in range(0, pcchPathListLength.value):
c = struct.unpack_from('c', buffer, offset=j)[0]
if c == '\0':
if j == i:
# double null: we're done
break
paths.append(path)
path = ''
i = j + 1
else:
path += c
return paths
def get_base_address(pid):
me32 = MODULEENTRY32()
me32.dwSize = sizeof(MODULEENTRY32)
snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid)
next_module = Module32First(snapshot, pointer(me32))
while next_module and me32.th32ProcessID != pid:
print me32.th32ProcessID
print me32.szExePath
next_module = Module32Next(snapshot, pointer(me32))
CloseHandle(snapshot)
print hex(addressof(me32.modBaseAddr.contents))
# Convert base address from LP_c_byte to long
return addressof(me32.modBaseAddr.contents)
def createXInputGamePadState(user_id):
gamepadState = XINPUT_STATE(DWORD(0), XINPUT_GAMEPAD(0, 0, 0, 0, 0, 0, 0))
t1 = Computer.getTime()
dwResult = _xinput_dll.XInputGetState(user_id, pointer(gamepadState))
t2 = Computer.getTime()
ci = t2 - t1
return dwResult, gamepadState, t2, ci
def createXInputGamePadState(user_id):
gamepadState = XINPUT_STATE(DWORD(0), XINPUT_GAMEPAD(0, 0, 0, 0, 0, 0, 0))
t1 = Computer.getTime()
dwResult = _xinput_dll.XInputGetState(user_id, pointer(gamepadState))
t2 = Computer.getTime()
ci = t2 - t1
return dwResult, gamepadState, t2, ci
def getFileVersion(self,filename):
from ctypes.wintypes import (
windll, sizeof, WinError, byref, POINTER, cast, c_char, Structure, c_uint,
pointer, BOOL, DWORD, LPVOID, LPCVOID, LPCWSTR,
)
class VS_FIXEDFILEINFO(Structure):
_fields_ = [
("dwSignature", DWORD), # will be 0xFEEF04BD
("dwStrucVersion", DWORD),
("dwFileVersionMS", DWORD),
("dwFileVersionLS", DWORD),
("dwProductVersionMS", DWORD),
("dwProductVersionLS", DWORD),
("dwFileFlagsMask", DWORD),
("dwFileFlags", DWORD),
("dwFileOS", DWORD),
("dwFileType", DWORD),
("dwFileSubtype", DWORD),
("dwFileDateMS", DWORD),
("dwFileDateLS", DWORD)
]
PUINT = POINTER(c_uint)
LPDWORD = POINTER(DWORD)
GetFileVersionInfoSizeW = windll.version.GetFileVersionInfoSizeW
GetFileVersionInfoSizeW.restype = DWORD
GetFileVersionInfoSizeW.argtypes = [LPCWSTR, LPDWORD]
GetFileVersionInfoSize = GetFileVersionInfoSizeW # alias
GetFileVersionInfoW = windll.version.GetFileVersionInfoW
GetFileVersionInfoW.restype = BOOL
GetFileVersionInfoW.argtypes = [LPCWSTR, DWORD, DWORD, LPVOID]
GetFileVersionInfo = GetFileVersionInfoW # alias
VerQueryValueW = windll.version.VerQueryValueW
VerQueryValueW.restype = BOOL
VerQueryValueW.argtypes = [LPCVOID, LPCWSTR, POINTER(LPVOID), PUINT]
VerQueryValue = VerQueryValueW # alias
filename = unicode(filename)
dwLen = GetFileVersionInfoSize(filename, None)
if not dwLen :
raise WinError()
lpData = (c_char * dwLen)()
if not GetFileVersionInfo(filename, 0, sizeof(lpData), lpData):
raise WinError()
uLen = c_uint()
lpffi = POINTER(VS_FIXEDFILEINFO)()
lplpBuffer = cast(pointer(lpffi), POINTER(LPVOID))
if not VerQueryValue(lpData, u"\\", lplpBuffer, byref(uLen)):
raise WinError()
ffi = lpffi.contents
return [int(ffi.dwFileVersionMS >> 16),
int(ffi.dwFileVersionMS & 0xFFFF),
int(ffi.dwFileVersionLS >> 16),
int(ffi.dwFileVersionLS & 0xFFFF)]
def _addCounter(self, processName, counterType, counterName):
pCounterPathElements = _PDH_COUNTER_PATH_ELEMENTS_A(
LPSTR(None),
LPSTR(counterType),
LPSTR(processName),
LPSTR(None),
DWORD(-1),
LPSTR(counterName)
)
pcchbufferSize = DWORD(0)
# First run we just try to get the buffer size so we can allocate a
# string big enough to fill it
if pdh.PdhMakeCounterPathA(pointer(pCounterPathElements),
LPCSTR(0), pointer(pcchbufferSize),
DWORD(0)) != _PDH_MORE_DATA:
raise TalosError(
"Could not create counter path for counter %s for %s"
% (counterName, processName)
)
szFullPathBuffer = LPCSTR('\0'*pcchbufferSize.value)
# Then we run to get the actual value
if pdh.PdhMakeCounterPathA(pointer(pCounterPathElements),
szFullPathBuffer, pointer(pcchbufferSize),
DWORD(0)) != 0:
raise TalosError(
"Could not create counter path for counter %s for %s"
% (counterName, processName)
)
path = szFullPathBuffer.value
hq = HANDLE()
if pdh.PdhOpenQuery(None, None, byref(hq)) != 0:
raise TalosError("Could not open win32 counter query")
hc = HANDLE()
if pdh.PdhAddCounterA(hq, path, 0, byref(hc)) != 0:
raise TalosError("Could not add win32 counter %s" % path)
self.registeredCounters[counterName] = [hq, [(hc, path)]]
def _addCounter(self, processName, counterType, counterName):
pCounterPathElements = _PDH_COUNTER_PATH_ELEMENTS_A(
LPSTR(None),
LPSTR(counterType),
LPSTR(processName),
LPSTR(None),
DWORD(-1),
LPSTR(counterName)
)
pcchbufferSize = DWORD(0)
# First run we just try to get the buffer size so we can allocate a
# string big enough to fill it
if pdh.PdhMakeCounterPathA(pointer(pCounterPathElements),
LPCSTR(0), pointer(pcchbufferSize),
DWORD(0)) != _PDH_MORE_DATA:
raise TalosError(
"Could not create counter path for counter %s for %s"
% (counterName, processName)
)
szFullPathBuffer = LPCSTR('\0'*pcchbufferSize.value)
# Then we run to get the actual value
if pdh.PdhMakeCounterPathA(pointer(pCounterPathElements),
szFullPathBuffer, pointer(pcchbufferSize),
DWORD(0)) != 0:
raise TalosError(
"Could not create counter path for counter %s for %s"
% (counterName, processName)
)
path = szFullPathBuffer.value
hq = HANDLE()
if pdh.PdhOpenQuery(None, None, byref(hq)) != 0:
raise TalosError("Could not open win32 counter query")
hc = HANDLE()
if pdh.PdhAddCounterA(hq, path, 0, byref(hc)) != 0:
raise TalosError("Could not add win32 counter %s" % path)
self.registeredCounters[counterName] = [hq, [(hc, path)]]
def scan_processes(self, skip_process_ids):
self.scanned_processes_counter = 0
del self.infected_processes[:]
self.__print_topic('Initiating memory scanning process')
pe = self.PROCESSENTRY32()
pe.dwSize = ctypes.sizeof(self.PROCESSENTRY32)
# Create process snapshot
snapshot = self.create_tool_help_32_snapshot(self.TH32CS_SNAPPROCESS,
0)
# Iterate process list
iterate = self.process_32_first(snapshot, wintypes.pointer(pe))
if not iterate:
# TODO: fix exit point
raise WindowsError('Failed to iterate process snapshot list')
while iterate:
is_infected = False
if not pe.th32ProcessID in skip_process_ids:
print 'Scanning process: %s ...' % pe.szExeFile
self.scanned_processes_counter += 1
self.bar.update(self.scanned_processes_counter)
try:
is_infected = self.yara_rules.match(pid=pe.th32ProcessID)
except yara.Error as ye:
# TODO: fix exit point
pass
if is_infected:
print 'Infected process: %s found on memory!' % pe.szExeFile
self.infected_processes.append(
(pe.th32ProcessID, pe.szExeFile))
iterate = self.process_32_next(snapshot, wintypes.pointer(pe))
self.close_handle(snapshot)
self.bar.finish()
print '\nMemory scan completed successfully.\n'
return not self.infected_processes
def GetFileVersion(filename):
dwLen = GetFileVersionInfoSize(filename, None)
if not dwLen:
raise WinError()
lpData = (c_char * dwLen)()
if not GetFileVersionInfo(filename, 0, sizeof(lpData), lpData):
raise WinError()
uLen = c_uint()
lpffi = POINTER(VS_FIXEDFILEINFO)()
lplpBuffer = cast(pointer(lpffi), POINTER(LPVOID))
if not VerQueryValue(lpData, u"\\", lplpBuffer, byref(uLen)):
raise WinError()
ffi = lpffi.contents
return (
ffi.dwFileVersionMS >> 16,
ffi.dwFileVersionMS & 0xFFFF,
ffi.dwFileVersionLS >> 16,
ffi.dwFileVersionLS & 0xFFFF,
)
def GetFileVersion(filename):
dwLen = GetFileVersionInfoSize(filename, None)
if not dwLen:
raise WinError()
lpData = (c_char * dwLen)()
if not GetFileVersionInfo(filename, 0, sizeof(lpData), lpData):
raise WinError()
uLen = c_uint()
lpffi = POINTER(VS_FIXEDFILEINFO)()
lplpBuffer = cast(pointer(lpffi), POINTER(LPVOID))
if not VerQueryValue(lpData, u"\\", lplpBuffer, byref(uLen)):
raise WinError()
ffi = lpffi.contents
return (
ffi.dwFileVersionMS >> 16,
ffi.dwFileVersionMS & 0xFFFF,
ffi.dwFileVersionLS >> 16,
ffi.dwFileVersionLS & 0xFFFF,
)