def _get_attr_image_nt_headers(self): if self.__arch__ == 'x86': image_nt_headers = wintypes.IMAGE_NT_HEADERS32() else: raise Exception('the selected architecture is not supported') m_k32.ReadProcessMemory(self.handle, self.get_proc_attribute('image_nt_headers_addr'), ctypes.byref(image_nt_headers), ctypes.sizeof(image_nt_headers), 0) return image_nt_headers
def _get_attr_peb_ldr_data(self): peb_ldr_data_addr = self.get_proc_attribute('peb_ldr_data_addr') peb_ldr_data = wintypes.PEB_LDR_DATA() m_k32.ReadProcessMemory(self.handle, peb_ldr_data_addr, ctypes.byref(peb_ldr_data), ctypes.sizeof(peb_ldr_data), 0) return peb_ldr_data
def read_memory(self, address, size=0x400): _data = (ctypes.c_byte * size) data = _data() if (m_k32.ReadProcessMemory(self.handle, address, ctypes.byref(data), ctypes.sizeof(data), 0) == 0): raise WindowsProcessError('Error: ReadProcessMemory', get_last_error=m_k32.GetLastError()) return ctarray_to_bytes(data)
def _get_attr_image_dos_header(self): image_dos_header_addr = self.get_proc_attribute( 'image_dos_header_addr') image_dos_header = wintypes.IMAGE_DOS_HEADER() m_k32.ReadProcessMemory(self.handle, image_dos_header_addr, ctypes.byref(image_dos_header), ctypes.sizeof(image_dos_header), 0) return image_dos_header
def _get_name_for_image_import_descriptor(self, iid): image_dos_header_addr = self.get_proc_attribute('image_dos_header_addr') _name = (ctypes.c_char * 0x400) name = _name() m_k32.ReadProcessMemory(self.handle, image_dos_header_addr + iid.Name, ctypes.byref(name), ctypes.sizeof(name), 0) name = ''.join(name) name = name.split('\x00')[0] return name
def _get_name_for_ilt_entry(self, ilt_ent): image_dos_header_addr = self.get_proc_attribute('image_dos_header_addr') _name = (ctypes.c_char * 0x200) name = _name() m_k32.ReadProcessMemory(self.handle, image_dos_header_addr + ilt_ent + ctypes.sizeof(wintypes.WORD), ctypes.byref(name), ctypes.sizeof(name), 0) name = ''.join(name) name = name.split('\x00')[0] return name
def _get_ilt_for_image_import_descriptor(self, iid): # import lookup table image_dos_header_addr = self.get_proc_attribute( 'image_dos_header_addr') _ilt = (ctypes.c_void_p * 0x200) ilt = _ilt() m_k32.ReadProcessMemory(self.handle, image_dos_header_addr + iid.OriginalFirstThunk, ctypes.byref(ilt), ctypes.sizeof(ilt), 0) return ilt
def _get_attr_image_import_descriptor(self): image_dos_header_addr = self.get_proc_attribute('image_dos_header_addr') optional_header = self.get_proc_attribute('image_nt_headers').OptionalHeader import_directory = optional_header.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT] _import_descriptors = wintypes.IMAGE_IMPORT_DESCRIPTOR * ((import_directory.Size / ctypes.sizeof(wintypes.IMAGE_IMPORT_DESCRIPTOR)) - 1) import_descriptors = _import_descriptors() m_k32.ReadProcessMemory(self.handle, image_dos_header_addr + import_directory.VirtualAddress, ctypes.byref(import_descriptors), ctypes.sizeof(import_descriptors), 0) return import_descriptors
def _get_image_base_by_name(self, name): peb_ldr_data = self.get_proc_attribute('peb_ldr_data') firstFLink = 0 fLink = peb_ldr_data.InLoadOrderModuleList.Flink while fLink != firstFLink: firstFLink = peb_ldr_data.InLoadOrderModuleList.Flink module = wintypes.LDR_MODULE() m_k32.ReadProcessMemory(self.handle, fLink, ctypes.byref(module), ctypes.sizeof(module), 0) _base_dll_name = (ctypes.c_wchar * module.BaseDllName.MaximumLength) base_dll_name = _base_dll_name() m_k32.ReadProcessMemory(self.handle, module.BaseDllName.Buffer, base_dll_name, module.BaseDllName.Length + 2, 0) base_dll_name = base_dll_name[:(module.BaseDllName.Length / 2)] if name == base_dll_name: return module fLink = module.InLoadOrderModuleList.Flink return None
def _get_attr_peb(self): peb_addr = self.get_proc_attribute('peb_addr') peb = wintypes.PEB() m_k32.ReadProcessMemory(self.handle, peb_addr, ctypes.byref(peb), ctypes.sizeof(peb), 0) return peb