Example #1
0
def _getExpandedCounterPaths(processName, counterName):
  '''
  Get list of expanded counter paths given a counter name. Returns a
  list of strings or None, if no counter paths can be created
  '''
  pcchPathListLength = DWORD(0)
  szWildCardPath = LPSTR('\\process(%s)\\%s' % (processName, counterName))
  if pdh.PdhExpandCounterPathA(szWildCardPath, LPSTR(None),
                                      pointer(pcchPathListLength)) != _PDH_MORE_DATA:
    return None

  pathListLength = pcchPathListLength.value
  szExpandedPathList = LPCSTR('\0' * pathListLength)
  if pdh.PdhExpandCounterPathA(szWildCardPath, szExpandedPathList,
                               pointer(pcchPathListLength)) != 0:
    return None
  buffer = create_string_buffer(pcchPathListLength.value)
  memmove(buffer, szExpandedPathList, pcchPathListLength.value)

  paths = []
  i=0
  path = ''
  for j in range(0, pcchPathListLength.value):
    c = struct.unpack_from('c', buffer, offset=j)[0]
    if c == '\0':
      if j == i:
        # double null: we're done
        break
      paths.append(path)
      path = ''
      i = j + 1
    else:
      path += c

  return paths
Example #2
0
def get_base_address(pid):
    me32 = MODULEENTRY32()
    me32.dwSize = sizeof(MODULEENTRY32)
    snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid)
    next_module = Module32First(snapshot, pointer(me32))

    while next_module and me32.th32ProcessID != pid:
        print me32.th32ProcessID
        print me32.szExePath
        next_module = Module32Next(snapshot, pointer(me32))

    CloseHandle(snapshot)
    print hex(addressof(me32.modBaseAddr.contents))
    # Convert base address from LP_c_byte to long
    return addressof(me32.modBaseAddr.contents)
Example #3
0
def createXInputGamePadState(user_id):
    gamepadState = XINPUT_STATE(DWORD(0), XINPUT_GAMEPAD(0, 0, 0, 0, 0, 0, 0))
    t1 = Computer.getTime()
    dwResult = _xinput_dll.XInputGetState(user_id, pointer(gamepadState))
    t2 = Computer.getTime()
    ci = t2 - t1
    return dwResult, gamepadState, t2, ci
Example #4
0
def createXInputGamePadState(user_id):
    gamepadState = XINPUT_STATE(DWORD(0), XINPUT_GAMEPAD(0, 0, 0, 0, 0, 0, 0))
    t1 = Computer.getTime()
    dwResult = _xinput_dll.XInputGetState(user_id, pointer(gamepadState))
    t2 = Computer.getTime()
    ci = t2 - t1
    return dwResult, gamepadState, t2, ci
Example #5
0
    def getFileVersion(self,filename):
        from ctypes.wintypes import (
            windll, sizeof, WinError, byref, POINTER, cast, c_char, Structure, c_uint,
            pointer, BOOL, DWORD, LPVOID, LPCVOID, LPCWSTR,
        )

        class VS_FIXEDFILEINFO(Structure):
            _fields_ = [
                ("dwSignature", DWORD), # will be 0xFEEF04BD
                ("dwStrucVersion", DWORD),
                ("dwFileVersionMS", DWORD),
                ("dwFileVersionLS", DWORD),
                ("dwProductVersionMS", DWORD),
                ("dwProductVersionLS", DWORD),
                ("dwFileFlagsMask", DWORD),
                ("dwFileFlags", DWORD),
                ("dwFileOS", DWORD),
                ("dwFileType", DWORD),
                ("dwFileSubtype", DWORD),
                ("dwFileDateMS", DWORD),
                ("dwFileDateLS", DWORD)
        ]

        PUINT = POINTER(c_uint)
        LPDWORD = POINTER(DWORD)

        GetFileVersionInfoSizeW = windll.version.GetFileVersionInfoSizeW
        GetFileVersionInfoSizeW.restype = DWORD
        GetFileVersionInfoSizeW.argtypes = [LPCWSTR, LPDWORD]
        GetFileVersionInfoSize = GetFileVersionInfoSizeW # alias

        GetFileVersionInfoW = windll.version.GetFileVersionInfoW
        GetFileVersionInfoW.restype = BOOL
        GetFileVersionInfoW.argtypes = [LPCWSTR, DWORD, DWORD, LPVOID]
        GetFileVersionInfo = GetFileVersionInfoW # alias

        VerQueryValueW = windll.version.VerQueryValueW
        VerQueryValueW.restype = BOOL
        VerQueryValueW.argtypes = [LPCVOID, LPCWSTR, POINTER(LPVOID), PUINT]
        VerQueryValue = VerQueryValueW # alias

        filename = unicode(filename)
    
        dwLen  = GetFileVersionInfoSize(filename, None)
        if not dwLen :
            raise WinError()
        lpData = (c_char * dwLen)()
        if not GetFileVersionInfo(filename, 0, sizeof(lpData), lpData):
            raise WinError()
        uLen = c_uint()
        lpffi = POINTER(VS_FIXEDFILEINFO)()
        lplpBuffer = cast(pointer(lpffi), POINTER(LPVOID))
        if not VerQueryValue(lpData, u"\\", lplpBuffer, byref(uLen)):
            raise WinError()
        ffi = lpffi.contents
        return [int(ffi.dwFileVersionMS >> 16),
            int(ffi.dwFileVersionMS & 0xFFFF),
            int(ffi.dwFileVersionLS >> 16),
            int(ffi.dwFileVersionLS & 0xFFFF)]
Example #6
0
    def _addCounter(self, processName, counterType, counterName):
        pCounterPathElements = _PDH_COUNTER_PATH_ELEMENTS_A(
            LPSTR(None),
            LPSTR(counterType),
            LPSTR(processName),
            LPSTR(None),
            DWORD(-1),
            LPSTR(counterName)
        )

        pcchbufferSize = DWORD(0)

        # First run we just try to get the buffer size so we can allocate a
        # string big enough to fill it
        if pdh.PdhMakeCounterPathA(pointer(pCounterPathElements),
                                   LPCSTR(0), pointer(pcchbufferSize),
                                   DWORD(0)) != _PDH_MORE_DATA:
            raise TalosError(
                "Could not create counter path for counter %s for %s"
                % (counterName, processName)
            )

        szFullPathBuffer = LPCSTR('\0'*pcchbufferSize.value)
        # Then we run to get the actual value
        if pdh.PdhMakeCounterPathA(pointer(pCounterPathElements),
                                   szFullPathBuffer, pointer(pcchbufferSize),
                                   DWORD(0)) != 0:
            raise TalosError(
                "Could not create counter path for counter %s for %s"
                % (counterName, processName)
            )

        path = szFullPathBuffer.value

        hq = HANDLE()
        if pdh.PdhOpenQuery(None, None, byref(hq)) != 0:
            raise TalosError("Could not open win32 counter query")

        hc = HANDLE()
        if pdh.PdhAddCounterA(hq, path, 0, byref(hc)) != 0:
            raise TalosError("Could not add win32 counter %s" % path)

        self.registeredCounters[counterName] = [hq, [(hc, path)]]
    def _addCounter(self, processName, counterType, counterName):
        pCounterPathElements = _PDH_COUNTER_PATH_ELEMENTS_A(
            LPSTR(None),
            LPSTR(counterType),
            LPSTR(processName),
            LPSTR(None),
            DWORD(-1),
            LPSTR(counterName)
        )

        pcchbufferSize = DWORD(0)

        # First run we just try to get the buffer size so we can allocate a
        # string big enough to fill it
        if pdh.PdhMakeCounterPathA(pointer(pCounterPathElements),
                                   LPCSTR(0), pointer(pcchbufferSize),
                                   DWORD(0)) != _PDH_MORE_DATA:
            raise TalosError(
                "Could not create counter path for counter %s for %s"
                % (counterName, processName)
            )

        szFullPathBuffer = LPCSTR('\0'*pcchbufferSize.value)
        # Then we run to get the actual value
        if pdh.PdhMakeCounterPathA(pointer(pCounterPathElements),
                                   szFullPathBuffer, pointer(pcchbufferSize),
                                   DWORD(0)) != 0:
            raise TalosError(
                "Could not create counter path for counter %s for %s"
                % (counterName, processName)
            )

        path = szFullPathBuffer.value

        hq = HANDLE()
        if pdh.PdhOpenQuery(None, None, byref(hq)) != 0:
            raise TalosError("Could not open win32 counter query")

        hc = HANDLE()
        if pdh.PdhAddCounterA(hq, path, 0, byref(hc)) != 0:
            raise TalosError("Could not add win32 counter %s" % path)

        self.registeredCounters[counterName] = [hq, [(hc, path)]]
Example #8
0
    def scan_processes(self, skip_process_ids):
        self.scanned_processes_counter = 0
        del self.infected_processes[:]

        self.__print_topic('Initiating memory scanning process')

        pe = self.PROCESSENTRY32()
        pe.dwSize = ctypes.sizeof(self.PROCESSENTRY32)

        # Create process snapshot
        snapshot = self.create_tool_help_32_snapshot(self.TH32CS_SNAPPROCESS,
                                                     0)

        # Iterate process list
        iterate = self.process_32_first(snapshot, wintypes.pointer(pe))
        if not iterate:
            # TODO: fix exit point
            raise WindowsError('Failed to iterate process snapshot list')

        while iterate:
            is_infected = False
            if not pe.th32ProcessID in skip_process_ids:
                print 'Scanning process: %s ...' % pe.szExeFile
                self.scanned_processes_counter += 1
                self.bar.update(self.scanned_processes_counter)
                try:
                    is_infected = self.yara_rules.match(pid=pe.th32ProcessID)
                except yara.Error as ye:
                    # TODO: fix exit point
                    pass

                if is_infected:
                    print 'Infected process: %s found on memory!' % pe.szExeFile
                    self.infected_processes.append(
                        (pe.th32ProcessID, pe.szExeFile))

            iterate = self.process_32_next(snapshot, wintypes.pointer(pe))

        self.close_handle(snapshot)
        self.bar.finish()

        print '\nMemory scan completed successfully.\n'
        return not self.infected_processes
def GetFileVersion(filename):
    dwLen = GetFileVersionInfoSize(filename, None)
    if not dwLen:
        raise WinError()
    lpData = (c_char * dwLen)()
    if not GetFileVersionInfo(filename, 0, sizeof(lpData), lpData):
        raise WinError()
    uLen = c_uint()
    lpffi = POINTER(VS_FIXEDFILEINFO)()
    lplpBuffer = cast(pointer(lpffi), POINTER(LPVOID))
    if not VerQueryValue(lpData, u"\\", lplpBuffer, byref(uLen)):
        raise WinError()
    ffi = lpffi.contents
    return (
        ffi.dwFileVersionMS >> 16,
        ffi.dwFileVersionMS & 0xFFFF,
        ffi.dwFileVersionLS >> 16,
        ffi.dwFileVersionLS & 0xFFFF,
    )
Example #10
0
def GetFileVersion(filename):
    dwLen  = GetFileVersionInfoSize(filename, None)
    if not dwLen:
        raise WinError()
    lpData = (c_char * dwLen)()
    if not GetFileVersionInfo(filename, 0, sizeof(lpData), lpData):
        raise WinError()
    uLen = c_uint()
    lpffi = POINTER(VS_FIXEDFILEINFO)()
    lplpBuffer = cast(pointer(lpffi), POINTER(LPVOID))
    if not VerQueryValue(lpData, u"\\", lplpBuffer, byref(uLen)):
        raise WinError()
    ffi = lpffi.contents
    return (
        ffi.dwFileVersionMS >> 16,
        ffi.dwFileVersionMS & 0xFFFF,
        ffi.dwFileVersionLS >> 16,
        ffi.dwFileVersionLS & 0xFFFF,
    )