def show_command_line(pid): # Instance a Process object. process = Process(pid) # Print the process command line. print(process.get_command_line())
def load_dll(pid, filename): # Instance a Process object. process = Process(pid) # Load the DLL library in the process. process.inject_dll(filename)
def memory_search( pid ): found = [] # Instance a Process object. process = Process( pid ) # Search for the string in the process memory. # Looking for User ID: userid_pattern = '([0-9]\x00){3} \x00([0-9]\x00){3} \x00([0-9]\x00){3}[^)]' for address in process.search_regexp( userid_pattern ): found += [address] print 'Possible UserIDs found:' found = [i[-1] for i in found] for i in set(found): print i.replace('\x00','') found = [] # Looking for Password: pass_pattern = '([0-9]\x00){4}\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x07\x00\x00' for address in process.search_regexp( pass_pattern ): found += [process.read(address[0]-3,16)] if found: print '\nPassword:'******'[0-9]{4}',i.replace('\x00',''))[0] print pwd else: print re.findall('[0-9]{4}',found[0].replace('\x00',''))[0] return found
def kill_thread( pid, kill_tid=None ): System.request_debug_privileges() process = Process(pid) process.scan_threads() tmp = kill_tid.split(',') print tmp, ":", type(tmp), ":", len(tmp) for thread in process.iter_threads(): thread.suspend() tid = thread.get_tid() try: if kill_tid is None or kill_tid == 0: hThread = thread.get_handle() win32.CloseHandle(hThread) win32.TerminateThread(hThread, -999) else: if len(tmp)>1: for s in tmp: if tid == int(s): print "kill > ", pid, " > ", tid, " > ", kill_tid hThread = thread.get_handle() #win32.CloseHandle(hThread) win32.TerminateThread(hThread, -999) except Exception, e: print e pass thread.resume()
def action_WriteProcessMemoryW(event): # Get the return address of the call address = event.get_thread().read_stack_dwords(1)[0] fo = open("C:/unpacked.bin", "w") # Get the process and thread IDs pid = event.get_pid() tid = event.get_tid() process = Process(pid) bufferAddr = event.get_thread().read_stack_dwords( 6 )[3] #6 is no of dwords grabbed from stack [0] is retuen addr [3] is 3rd argument print hex(bufferAddr) print "xxxxxxx" memoryMap = process.get_memory_map() readable = 0 writeable = 0 executable = 0 private = 0 mapped = 0 image = 0 total = 0 for mbi in memoryMap: #print hex(mbi.BaseAddress) if mbi.BaseAddress == bufferAddr: print "dumping data" print hex(mbi.BaseAddress) print hex(mbi.RegionSize) data = process_read(pid, mbi.BaseAddress, mbi.RegionSize) fo.write(data) fo.close()
def freeze_threads( pid, _tid=None ): System.request_debug_privileges() process = Process(pid) process.scan_threads() tmp = _tid.split(',') print tmp, ":", type(tmp), ":", len(tmp) for thread in process.iter_threads(): tid = thread.get_tid() _tid = int(tid) if _tid is None or _tid == 0 : thread.suspend() print tid, " suspend()" else: if len(tmp)>1: for s in tmp: if tid == int(s): print tid, " suspend()" thread.suspend() else: if tid == _tid: print tid, " suspend()" thread.suspend()
def process_kill( pid ): # Instance a Process object. process = Process( pid ) # Kill the process. process.kill()
def find_meterpreter_trace(pid, rateLimit): if (System.arch == 'i386' and System.bits == 32): try: meterpreter_trace_keywords = [['stdapi_railgun_api', False], ['stdapi_railgun_api_multi', False], ['stdapi_railgun_memread', False], ['stdapi_railgun_memwrite', False]] process = psutil.Process(pid) if (process.is_running() and process.name() == 'java.exe'): meterpreter_trace_keywords = [ [ 'class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_fs_file', False ], [ 'class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_net_tcp_client', False ], [ 'class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_net_tcp_server', False ], [ 'class$com$metasploit$meterpreter$stdapi$channel_create_stdapi_net_udp_client', False ] ] except Exception, e: pass #suppress no process name #print "Searching in",pid foundIndex = 0 process = Process(pid) line = 0 #For each ASCII string found in the process memory... for address, size, data in process.strings(): #print "%s: %s" % (HexDump.address(address),data) data = data.strip() if (data.find(meterpreter_trace_keywords[foundIndex][0]) >= 0): meterpreter_trace_keywords[foundIndex][1] = True mdlog.print_console( mdlog.SUCCESS_LEVEL, (meterpreter_trace_keywords[foundIndex][0])) foundIndex += 1 if foundIndex > len(meterpreter_trace_keywords) - 1: break line += 1 if (line > rateLimit): return False if foundIndex < 3: #print "Found: %d" , foundIndex return False else: found = True for trace in meterpreter_trace_keywords: found = found and trace[1] return found
def main(): pid = int(sys.argv[1]) proc = Process(pid) #= info print "pid;", proc.get_pid() print "is_alive;", proc.is_alive() print "is_debugged;", proc.is_debugged() print "is_wow;", proc.is_wow64() print "arch;", proc.get_arch() print "bits;", proc.get_bits() print "filename:", proc.get_filename() print "exit_time;", proc.get_exit_time() print "running_time;", proc.get_running_time() print "service;", proc.get_services() print "policy;", proc.get_dep_policy() print "peb;", proc.get_peb() print "main_module;", proc.get_main_module() print "peb_address", proc.get_peb_address() print "entry_point;", proc.get_entry_point() print "image_base;", proc.get_image_base() print "image_name;", proc.get_image_name() print "command_line;", proc.get_command_line() print "environment;", proc.get_environment() print "handle;", proc.get_handle() print "resume;",proc.resume()
def print_api_address(pid, modName, procName): # Request debug privileges. System.request_debug_privileges() # Instance a Process object. process = Process(pid) # Lookup it's modules. process.scan_modules() # Get the module. module = process.get_module_by_name(modName) if not module: print "Module not found: %s" % modName return # Resolve the requested API function address. address = module.resolve(procName) # Print the address. if address: print "%s!%s == 0x%.08x" % (modName, procName, address) else: print "Could not resolve %s in module %s" % (procName, modName)
def unfreeze_threads(pid): System.request_debug_privileges() process = Process(pid) #process.resume() process.scan_threads() for thread in process.iter_threads(): thread.resume()
def main(): print("Process memory reader") print("by Mario Vilas (mvilas at gmail.com)") print if len(sys.argv) not in (4, 5): script = os.path.basename(sys.argv[0]) print(" %s <pid> <address> <size> [binary output file]" % script) print(" %s <process.exe> <address> <size> [binary output file]" % script) return System.request_debug_privileges() try: pid = HexInput.integer(sys.argv[1]) except: s = System() s.scan_processes() pl = s.find_processes_by_filename(sys.argv[1]) if not pl: print("Process not found: %s" % sys.argv[1]) return if len(pl) > 1: print("Multiple processes found for %s" % sys.argv[1]) for p, n in pl: print("\t%s: %s" % (HexDump.integer(p), n)) return pid = pl[0][0].get_pid() try: address = HexInput.integer(sys.argv[2]) except Exception: print("Invalid value for address: %s" % sys.argv[2]) return try: size = HexInput.integer(sys.argv[3]) except Exception: print("Invalid value for size: %s" % sys.argv[3]) return p = Process(pid) data = p.read(address, size) ## data = p.peek(address, size) print("Read %d bytes from PID %d" % (len(data), pid)) if len(sys.argv) == 5: filename = sys.argv[4] open(filename, 'wb').write(data) print("Written %d bytes to %s" % (len(data), filename)) else: if win32.sizeof(win32.LPVOID) == win32.sizeof(win32.DWORD): width = 16 else: width = 8 print print(HexDump.hexblock(data, address, width=width))
def process_read( pid, address, length ): # Instance a Process object. process = Process( pid ) # Read the process memory. data = process.read( address, length ) # You can also change the process memory. # process.write( address, "example data" ) # Return a Python string with the memory contents. return data
def strings(pid): # Instance a Process object. process = Process(pid) # For each ASCII string found in the process memory... for address, size, data in process.strings(): # Print the string and the memory address where it was found. print "%s: %s" % (HexDump.address(address), data)
def memory_search(pid, bytes): # Instance a Process object. process = Process(pid) # Search for the string in the process memory. for address in process.search_bytes(bytes): # Print the memory address where it was found. print HexDump.address(address)
def freeze_threads(pid): System.request_debug_privileges() process = Process(pid) process.scan_threads() for thread in process.iter_threads(): thread.suspend()
def show_environment( pid ): # Instance a Process object. process = Process( pid ) # Get its environment variables. environment = process.get_environment() # Print the environment variables. for variable, value in sorted( environment.items() ): print "%s=%s" % (variable, value)
def print_modules(pid): # Instance a Process object. process = Process(pid) print "Process %d" % process.get_pid() # ...and the modules in the process. print "Modules:" bits = process.get_bits() for module in process.iter_modules(): print "\t%s\t%s" % (HexDump.address(module.get_base(), bits), module.get_filename())
def addProcess(self, pid, is_attached=False): proc = Process(pid) proc.pid = pid self.procs.append(proc) def readArray(vaddr, typ, s): # print 'HIHIHI',proc, vaddr, typ, s return proc.read_structure(vaddr, typ * s) proc.read_array = readArray proc.cont = proc.resume return proc
def push_addr(pid, addr, value): x = int(addr, 16) process = Process(pid) code = '\x68' + struct.pack('<L', int(value, 16)) print "code:", code print "addr:", x try: process.write(x, code) except Exception, e: raise
def main(pid): """Main function Args: pid (int): The pid to connect to """ process = Process(pid) width, height = get_minefield_size(process) print('Width is %d' % width) print('Height is %d' % height) print() print('\n'.join(find_mines(process, width, height)))
def main(): print("Process memory writer") print("by Mario Vilas (mvilas at gmail.com)") print() if len(sys.argv) < 4: script = os.path.basename(sys.argv[0]) print(" %s <pid> <address> {binary input file / hex data}" % script) print(" %s <process.exe> <address> {binary input file / hex data}" % script) return System.request_debug_privileges() try: pid = HexInput.integer(sys.argv[1]) except Exception: s = System() s.scan_processes() pl = s.find_processes_by_filename(sys.argv[1]) if not pl: print("Process not found: %s" % sys.argv[1]) return if len(pl) > 1: print("Multiple processes found for %s" % sys.argv[1]) for p, n in pl: print("\t%s: %s" % (HexDump.integer(p), n)) return pid = pl[0][0].get_pid() try: address = HexInput.integer(sys.argv[2]) except Exception: print("Invalid value for address: %s" % sys.argv[2]) return filename = ' '.join(sys.argv[3:]) if os.path.exists(filename): data = open(filename, 'rb').read() print("Read %d bytes from %s" % (len(data), filename)) else: try: data = HexInput.hexadecimal(filename) except Exception: print("Invalid filename or hex block: %s" % filename) return p = Process(pid) p.write(address, data) print("Written %d bytes to PID %d" % (len(data), pid))
def print_threads_and_modules(pid): # Instance a Process object. process = Process(pid) print "Process %d" % process.get_pid() # Now we can enumerate the threads in the process... print "Threads:" for thread in process.iter_threads(): print "\t%d" % thread.get_tid() # ...and the modules in the process. print "Modules:" bits = process.get_bits() for module in process.iter_modules(): print "\t%s\t%s" % (HexDump.address(module.get_base(), bits), module.get_filename())
def print_threads_and_modules(pid): process = Process(pid) print "Process %d" % process.get_pid() print "Threads:" for thread in process.iter_threads(): print "\t %d" % thread.get_tid() print "Modules:" bits = process.get_bits() for module in process.iter_modules(): print "\t%s\t%s" % (HexDump.address(module.get_base(), bits), module.get_filename())
def alloc_string(pid, addr, value): x = int(addr, 16) process = Process(pid) lpNewAddr = process.malloc(len(value) + 1) newval = value + '\x0a' print HexDump.hexadecimal(newval, '\\x') try: process.write(lpNewAddr, newval) except Exception, e: process.free(lpNewAddr) raise
def hex_string(pid, addr, size, flag=1): x = int(addr, 16) process = Process(pid) data = process.read(x, size * 8) #hexdump = HexDump.printable( data ) if flag == 3: print HexDump.hexblock_dword(data, address=True, width=16) elif flag == 2: print HexDump.hexblock_word(data, address=True, width=16) else: print HexDump.hexblock(data, address=True, width=16)
def proces_info(pid, addr=""): x = int(addr, 16) process = Process(pid) print "get_arch:", process.get_arch() print "get_bits:", process.get_bits() # print "get_main_module:", process.get_main_module() print "get_command_line:", process.get_command_line() print "get_image_name:", (process.get_image_name()) print "get_image_base:", hex(process.get_image_base()) print "get_peb:", hex(process.get_peb().ImageBaseAddress) print "get_peb_address:", hex(process.get_peb_address()) print "get_entry_point:", hex(process.get_entry_point())
def print_label(pid, address): # Request debug privileges. System.request_debug_privileges() # Instance a Process object. process = Process(pid) # Lookup it's modules. process.scan_modules() # Resolve the requested label address. label = process.get_label_at_address(address) # Print the label. print("%s == 0x%.08x" % (label, address))
def read_string(pid, addr): x = int(addr, 16) process = Process(pid) # print "get_main_module:", process.get_main_module() # print "get_peb:", hex(process.get_peb().ImageBaseAddress) print "read: ", x print print "string :" read = process.peek_string(x) print read print HexDump.hexadecimal(read, '\\x')
def monitor_main(): try: while (True): status = main_loop() try: for pid in status: Process(pid).kill() except: pass #mdlog.print_console(mdlog.INFO_LEVEL,"[*] out of main loop") time.sleep(5) except KeyboardInterrupt: mdlog.print_console(mdlog.INFO_LEVEL, "[*] Force exit") except Exception, e: mdlog.print_console(mdlog.ERROR_LEVEL, "[-] Error: ", str(e))