def get_explorer_pid():
# Request debug privileges.
System.request_debug_privileges()
# Scan for running processes.
system = System()
try:
system.scan_processes()
#system.scan_process_filenames()
except WindowsError:
system.scan_processes_fast()
# For each running process...
for process in system.iter_processes():
try:
pid = process.get_pid()
if pid in (0, 4, 8):
continue
if dev:
print "* Process:", process.get_filename(), "Pid:", pid, "Time:", process.get_running_time()
if process.get_filename() == "explorer.exe":
if process.get_running_time() < 300000:
return pid
# Skip processes we don't have permission to access.
except WindowsError, e:
if e.winerror == ERROR_ACCESS_DENIED:
continue
raise
def show(search = None, wide = True):
'show a table with the list of services'
# Take a snapshot of the running processes.
s = System()
s.request_debug_privileges()
try:
s.scan_processes()
s.scan_process_filenames()
except WindowsError:
s.scan_processes_fast()
pid_list = s.get_process_ids()
pid_list.sort()
if not pid_list:
print "Unknown error enumerating processes!"
return
# Get the filename of each process.
filenames = dict()
for pid in pid_list:
p = s.get_process(pid)
# Special process IDs.
# PID 0: System Idle Process. Also has a special meaning to the
# toolhelp APIs (current process).
# PID 4: System Integrity Group. See this forum post for more info:
# http://tinyurl.com/ycza8jo
# (points to social.technet.microsoft.com)
# Only on XP and above
# PID 8: System (?) only in Windows 2000 and below AFAIK.
# It's probably the same as PID 4 in XP and above.
if pid in (0, 4, 8):
fileName = ""
# Get the filename for all other processes.
else:
fileName = p.get_filename()
if fileName:
fileName = PathOperations.pathname_to_filename(fileName)
else:
fileName = ""
# Remember the filename.
filenames[pid] = fileName
# Make the search string lowercase if given.
if search is not None:
search = search.lower()
# Get the list of services.
try:
services = System.get_services()
except WindowsError, e:
print str(e)
return
def show(search=None, wide=True):
'show a table with the list of services'
# Take a snapshot of the running processes.
s = System()
s.request_debug_privileges()
try:
s.scan_processes()
s.scan_process_filenames()
except WindowsError:
s.scan_processes_fast()
pid_list = s.get_process_ids()
pid_list.sort()
if not pid_list:
print "Unknown error enumerating processes!"
return
# Get the filename of each process.
filenames = dict()
for pid in pid_list:
p = s.get_process(pid)
# Special process IDs.
# PID 0: System Idle Process. Also has a special meaning to the
# toolhelp APIs (current process).
# PID 4: System Integrity Group. See this forum post for more info:
# http://tinyurl.com/ycza8jo
# (points to social.technet.microsoft.com)
# Only on XP and above
# PID 8: System (?) only in Windows 2000 and below AFAIK.
# It's probably the same as PID 4 in XP and above.
if pid in (0, 4, 8):
fileName = ""
# Get the filename for all other processes.
else:
fileName = p.get_filename()
if fileName:
fileName = PathOperations.pathname_to_filename(fileName)
else:
fileName = ""
# Remember the filename.
filenames[pid] = fileName
# Make the search string lowercase if given.
if search is not None:
search = search.lower()
# Get the list of services.
try:
services = System.get_services()
except WindowsError, e:
print str(e)
return
def main(argv):
# Print the banner.
print "SelectMyParent: Start a program with a selected parent process"
print "by Mario Vilas (mvilas at gmail.com)"
print "based on a Didier Stevens tool (https://DidierStevens.com)"
print
# Check the command line arguments.
if len(argv) < 3:
script = os.path.basename(argv[0])
print " %s <pid> <process.exe> [arguments]" % script
return
# Request debug privileges.
system = System()
system.request_debug_privileges()
# Parse the parent process argument.
try:
dwParentProcessId = HexInput.integer(argv[1])
except ValueError:
dwParentProcessId = None
if dwParentProcessId is not None:
dwMyProcessId = win32.GetProcessId( win32.GetCurrentProcess() )
if dwParentProcessId != dwMyProcessId:
system.scan_processes_fast()
if not system.has_process(dwParentProcessId):
print "Can't find process ID %d" % dwParentProcessId
return
else:
system.scan_processes()
process_list = system.find_processes_by_filename(argv[1])
if not process_list:
print "Can't find process %r" % argv[1]
return
if len(process_list) > 1:
print "Too many processes found:"
for process, name in process_list:
print "\t%d:\t%s" % (process.get_pid(), name)
return
dwParentProcessId = process_list[0][0].get_pid()
# Parse the target process argument.
filename = argv[2]
if not os.path.exists(filename):
try:
filename = win32.SearchPath(None, filename, '.exe')[0]
except WindowsError, e:
print "Error searching for %s: %s" % (filename, str(e))
return
argv = list(argv)
argv[2] = filename
def main(argv):
# Print the banner.
print "SelectMyParent: Start a program with a selected parent process"
print "by Mario Vilas (mvilas at gmail.com)"
print "based on a Didier Stevens tool (https://DidierStevens.com)"
print
# Check the command line arguments.
if len(argv) < 3:
script = os.path.basename(argv[0])
print " %s <pid> <process.exe> [arguments]" % script
return
# Request debug privileges.
system = System()
system.request_debug_privileges()
# Parse the parent process argument.
try:
dwParentProcessId = HexInput.integer(argv[1])
except ValueError:
dwParentProcessId = None
if dwParentProcessId is not None:
dwMyProcessId = win32.GetProcessId(win32.GetCurrentProcess())
if dwParentProcessId != dwMyProcessId:
system.scan_processes_fast()
if not system.has_process(dwParentProcessId):
print "Can't find process ID %d" % dwParentProcessId
return
else:
system.scan_processes()
process_list = system.find_processes_by_filename(argv[1])
if not process_list:
print "Can't find process %r" % argv[1]
return
if len(process_list) > 1:
print "Too many processes found:"
for process, name in process_list:
print "\t%d:\t%s" % (process.get_pid(), name)
return
dwParentProcessId = process_list[0][0].get_pid()
# Parse the target process argument.
filename = argv[2]
if not ntpath.exists(filename):
try:
filename = win32.SearchPath(None, filename, '.exe')[0]
except WindowsError, e:
print "Error searching for %s: %s" % (filename, str(e))
return
argv = list(argv)
argv[2] = filename
def find_hook_pid( procname ):
global gpid
global xp
global oldpid
s = System()
s.request_debug_privileges()
try:
s.scan_processes()
s.scan_process_filenames()
except WindowsError:
s.scan_processes_fast()
pid_list = s.get_process_ids()
pid_list.sort(reverse=True)
if not pid_list:
print "Unknown error enumerating processes!"
# s = raw_input()
sys.exit(1)
for pid in pid_list:
p = s.get_process(pid)
fileName = p.get_filename()
fname = str(fileName).lower()
if dev:
print "Process:", fname, "Pid:", pid
if fname.find(procname) >= 0:
if int(pid) != int(gpid):
oldpid = gpid
gpid = pid
if procname.find("svchost.exe") >= 0:
gpid = int(get_svchost_pid())
return gpid
elif procname.find("explorer.exe") >= 0:
gpid = int(get_explorer_pid())
return gpid
else:
return pid
return 0
header = ( " PID ", "DEP ", "DEP-ATL ", "Permanent ", "Filename " )
separator = [ " " * len(x) for x in header ]
table = Table()
table.addRow( *header )
table.addRow( *separator )
# Request debug privileges.
System.request_debug_privileges()
# Scan for running processes.
system = System()
try:
system.scan_processes()
#system.scan_process_filenames()
except WindowsError:
system.scan_processes_fast()
# For each running process...
for process in system.iter_processes():
try:
# Get the process ID.
pid = process.get_pid()
# Skip "special" process IDs.
if pid in (0, 4, 8):
continue
# Skip 64 bit processes.
if process.get_bits() != 32:
continue
header = (" PID ", "DEP ", "DEP-ATL ", "Permanent ", "Filename ")
separator = [" " * len(x) for x in header]
table = Table()
table.addRow(*header)
table.addRow(*separator)
# Request debug privileges.
System.request_debug_privileges()
# Scan for running processes.
system = System()
try:
system.scan_processes()
#system.scan_process_filenames()
except WindowsError:
system.scan_processes_fast()
# For each running process...
for process in system.iter_processes():
try:
# Get the process ID.
pid = process.get_pid()
# Skip "special" process IDs.
if pid in (0, 4, 8):
continue
# Skip 64 bit processes.
if process.get_bits() != 32:
continue
def main(argv):
# print(the banner.)
print("SelectMyParent: Start a program with a selected parent process")
print("by Mario Vilas (mvilas at gmail.com)")
print("based on a Didier Stevens tool (https://DidierStevens.com)")
print
# Check the command line arguments.
if len(argv) < 3:
script = os.path.basename(argv[0])
print(" %s <pid> <process.exe> [arguments]" % script)
return
# Request debug privileges.
system = System()
system.request_debug_privileges()
# Parse the parent process argument.
try:
dwParentProcessId = HexInput.integer(argv[1])
except ValueError:
dwParentProcessId = None
if dwParentProcessId is not None:
dwMyProcessId = win32.GetProcessId(win32.GetCurrentProcess())
if dwParentProcessId != dwMyProcessId:
system.scan_processes_fast()
if not system.has_process(dwParentProcessId):
print("Can't find process ID %d" % dwParentProcessId)
return
else:
system.scan_processes()
process_list = system.find_processes_by_filename(argv[1])
if not process_list:
print("Can't find process %r" % argv[1])
return
if len(process_list) > 1:
print("Too many processes found:")
for process, name in process_list:
print("\t%d:\t%s" % (process.get_pid(), name))
return
dwParentProcessId = process_list[0][0].get_pid()
# Parse the target process argument.
filename = argv[2]
if not ntpath.exists(filename):
try:
filename = win32.SearchPath(None, filename, '.exe')[0]
except WindowsError as e:
print("Error searching for %s: %s" % (filename, str(e)))
return
argv = list(argv)
argv[2] = filename
# Start the new process.
try:
process = system.start_process(system.argv_to_cmdline(argv[2:]),
bConsole=True,
bInheritHandles=True,
dwParentProcessId=dwParentProcessId)
dwProcessId = process.get_pid()
except AttributeError as e:
if "InitializeProcThreadAttributeList" in str(e):
print("This tool requires Windows Vista or above.")
else:
print("Error starting new process: %s" % str(e))
return
except WindowsError as e:
print("Error starting new process: %s" % str(e))
return
print("Process created: %d" % dwProcessId)
return dwProcessId
def main(argv):
'Main function.'
# Print the banner.
print "Process enumerator"
print "by Mario Vilas (mvilas at gmail.com)"
print
# Parse the command line options.
(options, argv) = parse_cmdline(argv)
showFilenameOnly = not options.full_path
searchString = options.search
# Windows filenames are case insensitive.
if searchString:
searchString = searchString.lower()
# Take a snapshot of the running processes.
s = System()
s.request_debug_privileges()
try:
s.scan_processes()
if not showFilenameOnly:
s.scan_process_filenames()
except WindowsError:
s.scan_processes_fast()
pid_list = s.get_process_ids()
pid_list.sort()
if not pid_list:
print "Unknown error enumerating processes!"
return
# Get the filename of each process.
filenames = dict()
for pid in pid_list:
p = s.get_process(pid)
fileName = p.get_filename()
# Special process IDs.
# PID 0: System Idle Process. Also has a special meaning to the
# toolhelp APIs (current process).
# PID 4: System Integrity Group. See this forum post for more info:
# http://tinyurl.com/ycza8jo
# (points to social.technet.microsoft.com)
# Only on XP and above
# PID 8: System (?) only in Windows 2000 and below AFAIK.
# It's probably the same as PID 4 in XP and above.
if pid == 0:
fileName = "[System Idle Process]"
elif pid == 4:
fileName = "[System Integrity Group]"
elif pid == 8:
fileName = "[System]"
# Filename not available.
elif not fileName:
fileName = ""
# Get the process pathname instead, if requested.
elif showFilenameOnly:
fileName = PathOperations.pathname_to_filename(fileName)
# Filter the output with the search string.
if searchString and searchString not in fileName.lower():
continue
# Remember the filename.
filenames[pid] = fileName
# Get the window captions if requested.
# TODO: show window handles too if possible
captions = dict()
if options.windows:
for w in s.get_windows():
try:
pid = w.get_pid()
text = w.get_text()
except WindowsError:
continue
try:
captions[pid].add(text)
except KeyError:
capset = set()
capset.add(text)
captions[pid] = capset
# Get the services if requested.
services = dict()
if options.services:
try:
for descriptor in s.get_services():
try:
services[descriptor.ProcessId].add(descriptor.ServiceName)
except KeyError:
srvset = set()
srvset.add(descriptor.ServiceName)
services[descriptor.ProcessId] = srvset
except WindowsError, e:
print "Error getting the list of services: %s" % str(e)
return
def main(argv):
'Main function.'
# Print the banner.
print "Process enumerator"
print "by Mario Vilas (mvilas at gmail.com)"
print
# Parse the command line options.
(options, argv) = parse_cmdline(argv)
showFilenameOnly = not options.full_path
searchString = options.search
# Windows filenames are case insensitive.
if searchString:
searchString = searchString.lower()
# Take a snapshot of the running processes.
s = System()
s.request_debug_privileges()
try:
s.scan_processes()
if not showFilenameOnly:
s.scan_process_filenames()
except WindowsError:
s.scan_processes_fast()
pid_list = s.get_process_ids()
pid_list.sort()
if not pid_list:
print "Unknown error enumerating processes!"
return
# Get the filename of each process.
filenames = dict()
for pid in pid_list:
p = s.get_process(pid)
fileName = p.get_filename()
# Special process IDs.
# PID 0: System Idle Process. Also has a special meaning to the
# toolhelp APIs (current process).
# PID 4: System Integrity Group. See this forum post for more info:
# http://tinyurl.com/ycza8jo
# (points to social.technet.microsoft.com)
# Only on XP and above
# PID 8: System (?) only in Windows 2000 and below AFAIK.
# It's probably the same as PID 4 in XP and above.
if pid == 0:
fileName = "[System Idle Process]"
elif pid == 4:
fileName = "[System Integrity Group]"
elif pid == 8:
fileName = "[System]"
# Filename not available.
elif not fileName:
fileName = ""
# Get the process pathname instead, if requested.
elif showFilenameOnly:
fileName = PathOperations.pathname_to_filename(fileName)
# Filter the output with the search string.
if searchString and searchString not in fileName.lower():
continue
# Remember the filename.
filenames[pid] = fileName
# Get the window captions if requested.
# TODO: show window handles too if possible
captions = dict()
if options.windows:
for w in s.get_windows():
try:
pid = w.get_pid()
text = w.get_text()
except WindowsError:
continue
try:
captions[pid].add(text)
except KeyError:
capset = set()
capset.add(text)
captions[pid] = capset
# Get the services if requested.
services = dict()
if options.services:
try:
for descriptor in s.get_services():
try:
services[descriptor.ProcessId].add(descriptor.ServiceName)
except KeyError:
srvset = set()
srvset.add(descriptor.ServiceName)
services[descriptor.ProcessId] = srvset
except WindowsError, e:
print "Error getting the list of services: %s" % str(e)
return
def main(argv):
'Main function.'
# Print the banner.
print("Process enumerator")
print("by Mario Vilas (mvilas at gmail.com)")
print()
# Parse the command line options.
(options, argv) = parse_cmdline(argv)
showFilenameOnly = not options.full_path
searchString = options.search
# Windows filenames are case insensitive.
if searchString:
searchString = searchString.lower()
# Take a snapshot of the running processes.
s = System()
s.request_debug_privileges()
try:
s.scan_processes()
if not showFilenameOnly:
s.scan_process_filenames()
except WindowsError:
s.scan_processes_fast()
pid_list = s.get_process_ids()
pid_list.sort()
if not pid_list:
print("Unknown error enumerating processes!")
return
# Get the filename of each process.
filenames = dict()
for pid in pid_list:
p = s.get_process(pid)
fileName = p.get_filename()
# Special process IDs.
# PID 0: System Idle Process. Also has a special meaning to the
# toolhelp APIs (current process).
# PID 4: System Integrity Group. See this forum post for more info:
# http://tinyurl.com/ycza8jo
# (points to social.technet.microsoft.com)
# Only on XP and above
# PID 8: System (?) only in Windows 2000 and below AFAIK.
# It's probably the same as PID 4 in XP and above.
if pid == 0:
fileName = "[System Idle Process]"
elif pid == 4:
fileName = "[System Integrity Group]"
elif pid == 8:
fileName = "[System]"
# Filename not available.
elif not fileName:
fileName = ""
# Get the process pathname instead, if requested.
elif showFilenameOnly:
fileName = PathOperations.pathname_to_filename(fileName)
# Filter the output with the search string.
if searchString and searchString not in fileName.lower():
continue
# Remember the filename.
filenames[pid] = fileName
# Get the window captions if requested.
# TODO: show window handles too if possible
captions = dict()
if options.windows:
for w in s.get_windows():
try:
pid = w.get_pid()
text = w.get_text()
except WindowsError:
continue
try:
captions[pid].add(text)
except KeyError:
capset = set()
capset.add(text)
captions[pid] = capset
# Get the services if requested.
services = dict()
if options.services:
try:
for descriptor in s.get_services():
try:
services[descriptor.ProcessId].add(descriptor.ServiceName)
except KeyError:
srvset = set()
srvset.add(descriptor.ServiceName)
services[descriptor.ProcessId] = srvset
except WindowsError as e:
print("Error getting the list of services: %s" % str(e))
return
if options.format == "auto":
if options.windows or options.services:
options.format = "long"
if options.format != "long":
headers = [" PID", "Filename"]
if options.windows:
headers.append("Windows")
if options.services:
headers.append("Services")
table = Table()
table.addRow(*headers)
for pid in pid_list:
if pid in filenames:
fileName = filenames[pid]
caplist = sorted(captions.get(pid, set()))
srvlist = sorted(services.get(pid, set()))
if options.windows and options.services:
if len(caplist) < len(srvlist):
caplist.extend([''] * (len(srvlist) - len(caplist)))
elif len(srvlist) < len(caplist):
srvlist.extend([''] * (len(caplist) - len(srvlist)))
if len(caplist):
table.addRow(' %d' % pid, fileName, caplist[0],
srvlist[0])
for i in range(1, len(caplist)):
table.addRow('', '', caplist[i], srvlist[i])
else:
table.addRow(' %d' % pid, fileName, '', '')
elif options.windows:
if len(caplist):
table.addRow(' %d' % pid, fileName, caplist[0])
for i in range(1, len(caplist)):
table.addRow('', '', caplist[i])
else:
table.addRow(' %d' % pid, fileName, '')
elif options.services:
if len(srvlist):
table.addRow(' %d' % pid, fileName, srvlist[0])
for i in range(1, len(srvlist)):
table.addRow('', '', srvlist[i])
else:
table.addRow(' %d' % pid, fileName, '')
else:
table.addRow(' %d' % pid, fileName)
table.justify(0, 1)
if options.format == "auto" and table.getWidth() >= 80:
options.format = "long"
else:
table.show()
if options.format == "long":
# If it doesn't fit, build a new table of only two rows. The first row
# contains the headers and the second row the data. Insert an empty row
# between each process.
need_empty_row = False
table = Table()
for pid in pid_list:
if pid in filenames:
if need_empty_row:
table.addRow()
else:
need_empty_row = True
table.addRow("PID:", pid)
fileName = filenames[pid]
if fileName:
table.addRow("Filename:", fileName)
caplist = sorted(captions.get(pid, set()))
if caplist:
caption = caplist.pop(0)
table.addRow("Windows:", caption)
for caption in caplist:
table.addRow('', caption)
srvlist = sorted(services.get(pid, set()))
if srvlist:
srvname = srvlist.pop(0)
table.addRow("Services:", srvname)
for srvname in srvlist:
table.addRow('', srvname)
table.justify(0, 1)
table.show()
def show(search=None, wide=True):
'show a table with the list of services'
# Take a snapshot of the running processes.
s = System()
s.request_debug_privileges()
try:
s.scan_processes()
s.scan_process_filenames()
except WindowsError:
s.scan_processes_fast()
pid_list = s.get_process_ids()
pid_list.sort()
if not pid_list:
print("Unknown error enumerating processes!")
return
# Get the filename of each process.
filenames = dict()
for pid in pid_list:
p = s.get_process(pid)
# Special process IDs.
# PID 0: System Idle Process. Also has a special meaning to the
# toolhelp APIs (current process).
# PID 4: System Integrity Group. See this forum post for more info:
# http://tinyurl.com/ycza8jo
# (points to social.technet.microsoft.com)
# Only on XP and above
# PID 8: System (?) only in Windows 2000 and below AFAIK.
# It's probably the same as PID 4 in XP and above.
if pid in (0, 4, 8):
fileName = ""
# Get the filename for all other processes.
else:
fileName = p.get_filename()
if fileName:
fileName = PathOperations.pathname_to_filename(fileName)
else:
fileName = ""
# Remember the filename.
filenames[pid] = fileName
# Make the search string lowercase if given.
if search is not None:
search = search.lower()
# Get the list of services.
try:
services = System.get_services()
except WindowsError as e:
print(str(e))
return
# Convert the list of services to a list of rows.
data = []
for descriptor in services:
# Filter out services that don't match the search string if given.
if search is not None and \
not search in descriptor.ServiceName.lower() and \
not search in descriptor.DisplayName.lower():
continue
# Status.
if descriptor.CurrentState == win32.SERVICE_CONTINUE_PENDING:
status = "Resuming..."
elif descriptor.CurrentState == win32.SERVICE_PAUSE_PENDING:
status = "Pausing..."
elif descriptor.CurrentState == win32.SERVICE_PAUSED:
status = "Paused"
elif descriptor.CurrentState == win32.SERVICE_RUNNING:
status = "Running"
elif descriptor.CurrentState == win32.SERVICE_START_PENDING:
status = "Starting..."
elif descriptor.CurrentState == win32.SERVICE_STOP_PENDING:
status = "Stopping..."
elif descriptor.CurrentState == win32.SERVICE_STOPPED:
status = "Stopped"
# Type.
if descriptor.ServiceType & win32.SERVICE_INTERACTIVE_PROCESS:
type = 'Win32 GUI'
elif descriptor.ServiceType & win32.SERVICE_WIN32:
type = 'Win32'
elif descriptor.ServiceType & win32.SERVICE_DRIVER:
type = 'Driver'
else:
type = 'Unknown'
# Process ID.
try:
pid = descriptor.ProcessId
if pid:
pidStr = str(pid)
else:
pidStr = ""
except AttributeError:
pid = None
pidStr = ""
# Filename.
fileName = filenames.get(pid, "")
# Append the row.
data.append((descriptor.ServiceName, descriptor.DisplayName, status,
type, pidStr, fileName))
# Sort the rows.
data = sorted(data)
# Build the table and print it.
if wide:
headers = ("Service", "Display name", "Status", "Type", "PID", "Path")
table = Table()
table.addRow(*headers)
separator = ['-' * len(x) for x in headers]
table.addRow(*separator)
for row in data:
table.addRow(*row)
table.show()
else:
need_empty_line = False
for (name, disp, status, type, pidStr, path) in data:
if need_empty_line:
print()
else:
need_empty_line = True
print("Service name: %s" % name)
if disp:
print("Display name: %s" % disp)
print("Current status: %s" % status)
print("Service type: %s" % type)
if pidStr:
pid = int(pidStr)
print("Process ID: %d (0x%x)" % (pid, pid))
if path:
print("Host filename: %s" % path)
