def execute(self, path, args=None, suspended=False, kernel_analysis=False):
"""Execute sample process.
@param path: sample path.
@param args: process args.
@param suspended: is suspended.
@return: operation status.
"""
if not os.access(path, os.X_OK):
log.error(
'Unable to access file at path "%s", '
"execution aborted", path)
return False
startup_info = STARTUPINFO()
startup_info.cb = sizeof(startup_info)
# STARTF_USESHOWWINDOW
startup_info.dwFlags = 1
# SW_SHOWNORMAL
startup_info.wShowWindow = 1
process_info = PROCESS_INFORMATION()
arguments = '"' + path + '" '
if args:
arguments += args
creation_flags = CREATE_NEW_CONSOLE
if suspended:
self.suspended = True
creation_flags += CREATE_SUSPENDED
created = KERNEL32.CreateProcessW(path, arguments, None, None, None,
creation_flags, None,
os.getenv("TEMP"),
byref(startup_info),
byref(process_info))
if created:
self.pid = process_info.dwProcessId
self.h_process = process_info.hProcess
self.thread_id = process_info.dwThreadId
self.h_thread = process_info.hThread
log.info(
'Successfully executed process from path "%s" with '
'arguments "%s" with pid %d', path, args or "", self.pid)
if kernel_analysis:
return self.kernel_analyze()
return True
else:
log.error(
'Failed to execute process from path "%s" with '
'arguments "%s" (Error: %s)',
path,
args,
get_error_string(KERNEL32.GetLastError()),
)
return False
def execute(self, path, args=None, suspended=False, kernel_analysis=False):
"""Execute sample process.
@param path: sample path.
@param args: process args.
@param suspended: is suspended.
@return: operation status.
"""
if not os.access(path, os.X_OK):
log.error("Unable to access file at path \"%s\", "
"execution aborted", path)
return False
startup_info = STARTUPINFO()
startup_info.cb = sizeof(startup_info)
# STARTF_USESHOWWINDOW
startup_info.dwFlags = 1
# SW_SHOWNORMAL
startup_info.wShowWindow = 1
process_info = PROCESS_INFORMATION()
arguments = "\"" + path + "\" "
if args:
arguments += args
creation_flags = CREATE_NEW_CONSOLE
if suspended:
self.suspended = True
creation_flags += CREATE_SUSPENDED
created = KERNEL32.CreateProcessA(path,
arguments,
None,
None,
None,
creation_flags,
None,
os.getenv("TEMP"),
byref(startup_info),
byref(process_info))
if created:
self.pid = process_info.dwProcessId
self.h_process = process_info.hProcess
self.thread_id = process_info.dwThreadId
self.h_thread = process_info.hThread
log.info("Successfully executed process from path \"%s\" with "
"arguments \"%s\" with pid %d", path, args or "", self.pid)
if kernel_analysis:
return self.kernel_analyze()
return True
else:
log.error("Failed to execute process from path \"%s\" with "
"arguments \"%s\" (Error: %s)", path, args,
get_error_string(KERNEL32.GetLastError()))
return False
def create_monitored_process(self, process_path, args=""):
"""
Creating a new process to monitor by the driver.
The process will be created in suspended mode, then after the PID will be
sent to the driver for further monitoring. When the driver is done
initializing, the process can be resumed.
Parameters:
process_path (string), the path of the process to create, unicode
string.
args (unicode), additional arguments to provide to the process
Return value:
list of process parameters: (h_process, h_thread, pid, tid)
"""
# Initializations
startup_info = STARTUPINFO()
startup_info.cb = sizeof(startup_info)
startup_info.dwFlags = win32process.STARTF_USESHOWWINDOW
startup_info.wShowWindow = win32con.SW_NORMAL
KERNEL32.CreateProcessW.errcheck = self.errcheck # assign a callable
process_info = PROCESS_INFORMATION()
creation_flags = CREATE_NEW_CONSOLE | CREATE_SUSPENDED
# Create new process (UNICODE)
success = KERNEL32.CreateProcessW(None,
"%s %s" % (process_path, args),
None,
None,
None,
creation_flags,
None,
None, # Starting path?
ctypes.byref(startup_info),
ctypes.byref(process_info))
# Data
h_process, h_thread, pid, tid = process_info.hProcess, process_info.hThread, process_info.dwProcessId, process_info.dwThreadId,
pid = self._check_preloaded_pid(pid)
# Hack to monitor first pid - this process
try:
self._send_ioctl(self._driver_communication_device, self._ioctl_monitor, str(pid))
pass
except Exception, e:
error_code = KERNEL32.GetLastError()
log.error("Failed monitoring, GLE: [%d]-[%s]", error_code, get_error_string(error_code))
log.error(str(e))
return (False, h_process, h_thread, pid, tid)
def execute(self, path, args=None, suspended=False, kernel_analysis=False):
"""Execute sample process.
@param path: sample path.
@param args: process args.
@param suspended: is suspended.
@return: operation status.
"""
if not os.access(path, os.X_OK):
log.error('Unable to access file at path "%s", execution aborted',
path)
return False
startup_info = STARTUPINFO()
startup_info.cb = sizeof(startup_info)
# STARTF_USESHOWWINDOW
startup_info.dwFlags = 1
# SW_SHOWNORMAL
startup_info.wShowWindow = 1
process_info = PROCESS_INFORMATION()
arguments = f'"{path}" '
if args:
arguments += args
creation_flags = CREATE_NEW_CONSOLE
if suspended:
self.suspended = True
creation_flags += CREATE_SUSPENDED
# Use the custom execution directory if provided, otherwise launch in the same location
# where the sample resides (default %TEMP%)
if "executiondir" in self.options.keys():
execution_directory = self.options["executiondir"]
elif "curdir" in self.options.keys():
execution_directory = self.options["curdir"]
else:
execution_directory = os.getenv("TEMP")
# Try to create the custom directories so that the execution path is deemed valid
create_custom_folders(execution_directory)
created = KERNEL32.CreateProcessW(path, arguments, None, None, None,
creation_flags, None,
execution_directory,
byref(startup_info),
byref(process_info))
if created:
self.pid = process_info.dwProcessId
self.h_process = process_info.hProcess
self.thread_id = process_info.dwThreadId
self.h_thread = process_info.hThread
log.info(
'Successfully executed process from path "%s" with arguments "%s" with pid %d',
path, args or "", self.pid)
if kernel_analysis:
return self.kernel_analyze()
return True
else:
log.error(
'Failed to execute process from path "%s" with arguments "%s" (Error: %s)',
path,
args,
get_error_string(KERNEL32.GetLastError()),
)
return False
