def get_explorer_pid(): # Request debug privileges. System.request_debug_privileges() # Scan for running processes. system = System() try: system.scan_processes() #system.scan_process_filenames() except WindowsError: system.scan_processes_fast() # For each running process... for process in system.iter_processes(): try: pid = process.get_pid() if pid in (0, 4, 8): continue if dev: print "* Process:", process.get_filename(), "Pid:", pid, "Time:", process.get_running_time() if process.get_filename() == "explorer.exe": if process.get_running_time() < 300000: return pid # Skip processes we don't have permission to access. except WindowsError, e: if e.winerror == ERROR_ACCESS_DENIED: continue raise
def show(search = None, wide = True): 'show a table with the list of services' # Take a snapshot of the running processes. s = System() s.request_debug_privileges() try: s.scan_processes() s.scan_process_filenames() except WindowsError: s.scan_processes_fast() pid_list = s.get_process_ids() pid_list.sort() if not pid_list: print "Unknown error enumerating processes!" return # Get the filename of each process. filenames = dict() for pid in pid_list: p = s.get_process(pid) # Special process IDs. # PID 0: System Idle Process. Also has a special meaning to the # toolhelp APIs (current process). # PID 4: System Integrity Group. See this forum post for more info: # http://tinyurl.com/ycza8jo # (points to social.technet.microsoft.com) # Only on XP and above # PID 8: System (?) only in Windows 2000 and below AFAIK. # It's probably the same as PID 4 in XP and above. if pid in (0, 4, 8): fileName = "" # Get the filename for all other processes. else: fileName = p.get_filename() if fileName: fileName = PathOperations.pathname_to_filename(fileName) else: fileName = "" # Remember the filename. filenames[pid] = fileName # Make the search string lowercase if given. if search is not None: search = search.lower() # Get the list of services. try: services = System.get_services() except WindowsError, e: print str(e) return
def show(search=None, wide=True): 'show a table with the list of services' # Take a snapshot of the running processes. s = System() s.request_debug_privileges() try: s.scan_processes() s.scan_process_filenames() except WindowsError: s.scan_processes_fast() pid_list = s.get_process_ids() pid_list.sort() if not pid_list: print "Unknown error enumerating processes!" return # Get the filename of each process. filenames = dict() for pid in pid_list: p = s.get_process(pid) # Special process IDs. # PID 0: System Idle Process. Also has a special meaning to the # toolhelp APIs (current process). # PID 4: System Integrity Group. See this forum post for more info: # http://tinyurl.com/ycza8jo # (points to social.technet.microsoft.com) # Only on XP and above # PID 8: System (?) only in Windows 2000 and below AFAIK. # It's probably the same as PID 4 in XP and above. if pid in (0, 4, 8): fileName = "" # Get the filename for all other processes. else: fileName = p.get_filename() if fileName: fileName = PathOperations.pathname_to_filename(fileName) else: fileName = "" # Remember the filename. filenames[pid] = fileName # Make the search string lowercase if given. if search is not None: search = search.lower() # Get the list of services. try: services = System.get_services() except WindowsError, e: print str(e) return
def main(argv): # Print the banner. print "SelectMyParent: Start a program with a selected parent process" print "by Mario Vilas (mvilas at gmail.com)" print "based on a Didier Stevens tool (https://DidierStevens.com)" print # Check the command line arguments. if len(argv) < 3: script = os.path.basename(argv[0]) print " %s <pid> <process.exe> [arguments]" % script return # Request debug privileges. system = System() system.request_debug_privileges() # Parse the parent process argument. try: dwParentProcessId = HexInput.integer(argv[1]) except ValueError: dwParentProcessId = None if dwParentProcessId is not None: dwMyProcessId = win32.GetProcessId( win32.GetCurrentProcess() ) if dwParentProcessId != dwMyProcessId: system.scan_processes_fast() if not system.has_process(dwParentProcessId): print "Can't find process ID %d" % dwParentProcessId return else: system.scan_processes() process_list = system.find_processes_by_filename(argv[1]) if not process_list: print "Can't find process %r" % argv[1] return if len(process_list) > 1: print "Too many processes found:" for process, name in process_list: print "\t%d:\t%s" % (process.get_pid(), name) return dwParentProcessId = process_list[0][0].get_pid() # Parse the target process argument. filename = argv[2] if not os.path.exists(filename): try: filename = win32.SearchPath(None, filename, '.exe')[0] except WindowsError, e: print "Error searching for %s: %s" % (filename, str(e)) return argv = list(argv) argv[2] = filename
def main(argv): # Print the banner. print "SelectMyParent: Start a program with a selected parent process" print "by Mario Vilas (mvilas at gmail.com)" print "based on a Didier Stevens tool (https://DidierStevens.com)" print # Check the command line arguments. if len(argv) < 3: script = os.path.basename(argv[0]) print " %s <pid> <process.exe> [arguments]" % script return # Request debug privileges. system = System() system.request_debug_privileges() # Parse the parent process argument. try: dwParentProcessId = HexInput.integer(argv[1]) except ValueError: dwParentProcessId = None if dwParentProcessId is not None: dwMyProcessId = win32.GetProcessId(win32.GetCurrentProcess()) if dwParentProcessId != dwMyProcessId: system.scan_processes_fast() if not system.has_process(dwParentProcessId): print "Can't find process ID %d" % dwParentProcessId return else: system.scan_processes() process_list = system.find_processes_by_filename(argv[1]) if not process_list: print "Can't find process %r" % argv[1] return if len(process_list) > 1: print "Too many processes found:" for process, name in process_list: print "\t%d:\t%s" % (process.get_pid(), name) return dwParentProcessId = process_list[0][0].get_pid() # Parse the target process argument. filename = argv[2] if not ntpath.exists(filename): try: filename = win32.SearchPath(None, filename, '.exe')[0] except WindowsError, e: print "Error searching for %s: %s" % (filename, str(e)) return argv = list(argv) argv[2] = filename
def find_hook_pid( procname ): global gpid global xp global oldpid s = System() s.request_debug_privileges() try: s.scan_processes() s.scan_process_filenames() except WindowsError: s.scan_processes_fast() pid_list = s.get_process_ids() pid_list.sort(reverse=True) if not pid_list: print "Unknown error enumerating processes!" # s = raw_input() sys.exit(1) for pid in pid_list: p = s.get_process(pid) fileName = p.get_filename() fname = str(fileName).lower() if dev: print "Process:", fname, "Pid:", pid if fname.find(procname) >= 0: if int(pid) != int(gpid): oldpid = gpid gpid = pid if procname.find("svchost.exe") >= 0: gpid = int(get_svchost_pid()) return gpid elif procname.find("explorer.exe") >= 0: gpid = int(get_explorer_pid()) return gpid else: return pid return 0
header = ( " PID ", "DEP ", "DEP-ATL ", "Permanent ", "Filename " ) separator = [ " " * len(x) for x in header ] table = Table() table.addRow( *header ) table.addRow( *separator ) # Request debug privileges. System.request_debug_privileges() # Scan for running processes. system = System() try: system.scan_processes() #system.scan_process_filenames() except WindowsError: system.scan_processes_fast() # For each running process... for process in system.iter_processes(): try: # Get the process ID. pid = process.get_pid() # Skip "special" process IDs. if pid in (0, 4, 8): continue # Skip 64 bit processes. if process.get_bits() != 32: continue
header = (" PID ", "DEP ", "DEP-ATL ", "Permanent ", "Filename ") separator = [" " * len(x) for x in header] table = Table() table.addRow(*header) table.addRow(*separator) # Request debug privileges. System.request_debug_privileges() # Scan for running processes. system = System() try: system.scan_processes() #system.scan_process_filenames() except WindowsError: system.scan_processes_fast() # For each running process... for process in system.iter_processes(): try: # Get the process ID. pid = process.get_pid() # Skip "special" process IDs. if pid in (0, 4, 8): continue # Skip 64 bit processes. if process.get_bits() != 32: continue
def main(argv): # print(the banner.) print("SelectMyParent: Start a program with a selected parent process") print("by Mario Vilas (mvilas at gmail.com)") print("based on a Didier Stevens tool (https://DidierStevens.com)") print # Check the command line arguments. if len(argv) < 3: script = os.path.basename(argv[0]) print(" %s <pid> <process.exe> [arguments]" % script) return # Request debug privileges. system = System() system.request_debug_privileges() # Parse the parent process argument. try: dwParentProcessId = HexInput.integer(argv[1]) except ValueError: dwParentProcessId = None if dwParentProcessId is not None: dwMyProcessId = win32.GetProcessId(win32.GetCurrentProcess()) if dwParentProcessId != dwMyProcessId: system.scan_processes_fast() if not system.has_process(dwParentProcessId): print("Can't find process ID %d" % dwParentProcessId) return else: system.scan_processes() process_list = system.find_processes_by_filename(argv[1]) if not process_list: print("Can't find process %r" % argv[1]) return if len(process_list) > 1: print("Too many processes found:") for process, name in process_list: print("\t%d:\t%s" % (process.get_pid(), name)) return dwParentProcessId = process_list[0][0].get_pid() # Parse the target process argument. filename = argv[2] if not ntpath.exists(filename): try: filename = win32.SearchPath(None, filename, '.exe')[0] except WindowsError as e: print("Error searching for %s: %s" % (filename, str(e))) return argv = list(argv) argv[2] = filename # Start the new process. try: process = system.start_process(system.argv_to_cmdline(argv[2:]), bConsole=True, bInheritHandles=True, dwParentProcessId=dwParentProcessId) dwProcessId = process.get_pid() except AttributeError as e: if "InitializeProcThreadAttributeList" in str(e): print("This tool requires Windows Vista or above.") else: print("Error starting new process: %s" % str(e)) return except WindowsError as e: print("Error starting new process: %s" % str(e)) return print("Process created: %d" % dwProcessId) return dwProcessId
def main(argv): 'Main function.' # Print the banner. print "Process enumerator" print "by Mario Vilas (mvilas at gmail.com)" print # Parse the command line options. (options, argv) = parse_cmdline(argv) showFilenameOnly = not options.full_path searchString = options.search # Windows filenames are case insensitive. if searchString: searchString = searchString.lower() # Take a snapshot of the running processes. s = System() s.request_debug_privileges() try: s.scan_processes() if not showFilenameOnly: s.scan_process_filenames() except WindowsError: s.scan_processes_fast() pid_list = s.get_process_ids() pid_list.sort() if not pid_list: print "Unknown error enumerating processes!" return # Get the filename of each process. filenames = dict() for pid in pid_list: p = s.get_process(pid) fileName = p.get_filename() # Special process IDs. # PID 0: System Idle Process. Also has a special meaning to the # toolhelp APIs (current process). # PID 4: System Integrity Group. See this forum post for more info: # http://tinyurl.com/ycza8jo # (points to social.technet.microsoft.com) # Only on XP and above # PID 8: System (?) only in Windows 2000 and below AFAIK. # It's probably the same as PID 4 in XP and above. if pid == 0: fileName = "[System Idle Process]" elif pid == 4: fileName = "[System Integrity Group]" elif pid == 8: fileName = "[System]" # Filename not available. elif not fileName: fileName = "" # Get the process pathname instead, if requested. elif showFilenameOnly: fileName = PathOperations.pathname_to_filename(fileName) # Filter the output with the search string. if searchString and searchString not in fileName.lower(): continue # Remember the filename. filenames[pid] = fileName # Get the window captions if requested. # TODO: show window handles too if possible captions = dict() if options.windows: for w in s.get_windows(): try: pid = w.get_pid() text = w.get_text() except WindowsError: continue try: captions[pid].add(text) except KeyError: capset = set() capset.add(text) captions[pid] = capset # Get the services if requested. services = dict() if options.services: try: for descriptor in s.get_services(): try: services[descriptor.ProcessId].add(descriptor.ServiceName) except KeyError: srvset = set() srvset.add(descriptor.ServiceName) services[descriptor.ProcessId] = srvset except WindowsError, e: print "Error getting the list of services: %s" % str(e) return
def main(argv): 'Main function.' # Print the banner. print("Process enumerator") print("by Mario Vilas (mvilas at gmail.com)") print() # Parse the command line options. (options, argv) = parse_cmdline(argv) showFilenameOnly = not options.full_path searchString = options.search # Windows filenames are case insensitive. if searchString: searchString = searchString.lower() # Take a snapshot of the running processes. s = System() s.request_debug_privileges() try: s.scan_processes() if not showFilenameOnly: s.scan_process_filenames() except WindowsError: s.scan_processes_fast() pid_list = s.get_process_ids() pid_list.sort() if not pid_list: print("Unknown error enumerating processes!") return # Get the filename of each process. filenames = dict() for pid in pid_list: p = s.get_process(pid) fileName = p.get_filename() # Special process IDs. # PID 0: System Idle Process. Also has a special meaning to the # toolhelp APIs (current process). # PID 4: System Integrity Group. See this forum post for more info: # http://tinyurl.com/ycza8jo # (points to social.technet.microsoft.com) # Only on XP and above # PID 8: System (?) only in Windows 2000 and below AFAIK. # It's probably the same as PID 4 in XP and above. if pid == 0: fileName = "[System Idle Process]" elif pid == 4: fileName = "[System Integrity Group]" elif pid == 8: fileName = "[System]" # Filename not available. elif not fileName: fileName = "" # Get the process pathname instead, if requested. elif showFilenameOnly: fileName = PathOperations.pathname_to_filename(fileName) # Filter the output with the search string. if searchString and searchString not in fileName.lower(): continue # Remember the filename. filenames[pid] = fileName # Get the window captions if requested. # TODO: show window handles too if possible captions = dict() if options.windows: for w in s.get_windows(): try: pid = w.get_pid() text = w.get_text() except WindowsError: continue try: captions[pid].add(text) except KeyError: capset = set() capset.add(text) captions[pid] = capset # Get the services if requested. services = dict() if options.services: try: for descriptor in s.get_services(): try: services[descriptor.ProcessId].add(descriptor.ServiceName) except KeyError: srvset = set() srvset.add(descriptor.ServiceName) services[descriptor.ProcessId] = srvset except WindowsError as e: print("Error getting the list of services: %s" % str(e)) return if options.format == "auto": if options.windows or options.services: options.format = "long" if options.format != "long": headers = [" PID", "Filename"] if options.windows: headers.append("Windows") if options.services: headers.append("Services") table = Table() table.addRow(*headers) for pid in pid_list: if pid in filenames: fileName = filenames[pid] caplist = sorted(captions.get(pid, set())) srvlist = sorted(services.get(pid, set())) if options.windows and options.services: if len(caplist) < len(srvlist): caplist.extend([''] * (len(srvlist) - len(caplist))) elif len(srvlist) < len(caplist): srvlist.extend([''] * (len(caplist) - len(srvlist))) if len(caplist): table.addRow(' %d' % pid, fileName, caplist[0], srvlist[0]) for i in range(1, len(caplist)): table.addRow('', '', caplist[i], srvlist[i]) else: table.addRow(' %d' % pid, fileName, '', '') elif options.windows: if len(caplist): table.addRow(' %d' % pid, fileName, caplist[0]) for i in range(1, len(caplist)): table.addRow('', '', caplist[i]) else: table.addRow(' %d' % pid, fileName, '') elif options.services: if len(srvlist): table.addRow(' %d' % pid, fileName, srvlist[0]) for i in range(1, len(srvlist)): table.addRow('', '', srvlist[i]) else: table.addRow(' %d' % pid, fileName, '') else: table.addRow(' %d' % pid, fileName) table.justify(0, 1) if options.format == "auto" and table.getWidth() >= 80: options.format = "long" else: table.show() if options.format == "long": # If it doesn't fit, build a new table of only two rows. The first row # contains the headers and the second row the data. Insert an empty row # between each process. need_empty_row = False table = Table() for pid in pid_list: if pid in filenames: if need_empty_row: table.addRow() else: need_empty_row = True table.addRow("PID:", pid) fileName = filenames[pid] if fileName: table.addRow("Filename:", fileName) caplist = sorted(captions.get(pid, set())) if caplist: caption = caplist.pop(0) table.addRow("Windows:", caption) for caption in caplist: table.addRow('', caption) srvlist = sorted(services.get(pid, set())) if srvlist: srvname = srvlist.pop(0) table.addRow("Services:", srvname) for srvname in srvlist: table.addRow('', srvname) table.justify(0, 1) table.show()
def show(search=None, wide=True): 'show a table with the list of services' # Take a snapshot of the running processes. s = System() s.request_debug_privileges() try: s.scan_processes() s.scan_process_filenames() except WindowsError: s.scan_processes_fast() pid_list = s.get_process_ids() pid_list.sort() if not pid_list: print("Unknown error enumerating processes!") return # Get the filename of each process. filenames = dict() for pid in pid_list: p = s.get_process(pid) # Special process IDs. # PID 0: System Idle Process. Also has a special meaning to the # toolhelp APIs (current process). # PID 4: System Integrity Group. See this forum post for more info: # http://tinyurl.com/ycza8jo # (points to social.technet.microsoft.com) # Only on XP and above # PID 8: System (?) only in Windows 2000 and below AFAIK. # It's probably the same as PID 4 in XP and above. if pid in (0, 4, 8): fileName = "" # Get the filename for all other processes. else: fileName = p.get_filename() if fileName: fileName = PathOperations.pathname_to_filename(fileName) else: fileName = "" # Remember the filename. filenames[pid] = fileName # Make the search string lowercase if given. if search is not None: search = search.lower() # Get the list of services. try: services = System.get_services() except WindowsError as e: print(str(e)) return # Convert the list of services to a list of rows. data = [] for descriptor in services: # Filter out services that don't match the search string if given. if search is not None and \ not search in descriptor.ServiceName.lower() and \ not search in descriptor.DisplayName.lower(): continue # Status. if descriptor.CurrentState == win32.SERVICE_CONTINUE_PENDING: status = "Resuming..." elif descriptor.CurrentState == win32.SERVICE_PAUSE_PENDING: status = "Pausing..." elif descriptor.CurrentState == win32.SERVICE_PAUSED: status = "Paused" elif descriptor.CurrentState == win32.SERVICE_RUNNING: status = "Running" elif descriptor.CurrentState == win32.SERVICE_START_PENDING: status = "Starting..." elif descriptor.CurrentState == win32.SERVICE_STOP_PENDING: status = "Stopping..." elif descriptor.CurrentState == win32.SERVICE_STOPPED: status = "Stopped" # Type. if descriptor.ServiceType & win32.SERVICE_INTERACTIVE_PROCESS: type = 'Win32 GUI' elif descriptor.ServiceType & win32.SERVICE_WIN32: type = 'Win32' elif descriptor.ServiceType & win32.SERVICE_DRIVER: type = 'Driver' else: type = 'Unknown' # Process ID. try: pid = descriptor.ProcessId if pid: pidStr = str(pid) else: pidStr = "" except AttributeError: pid = None pidStr = "" # Filename. fileName = filenames.get(pid, "") # Append the row. data.append((descriptor.ServiceName, descriptor.DisplayName, status, type, pidStr, fileName)) # Sort the rows. data = sorted(data) # Build the table and print it. if wide: headers = ("Service", "Display name", "Status", "Type", "PID", "Path") table = Table() table.addRow(*headers) separator = ['-' * len(x) for x in headers] table.addRow(*separator) for row in data: table.addRow(*row) table.show() else: need_empty_line = False for (name, disp, status, type, pidStr, path) in data: if need_empty_line: print() else: need_empty_line = True print("Service name: %s" % name) if disp: print("Display name: %s" % disp) print("Current status: %s" % status) print("Service type: %s" % type) if pidStr: pid = int(pidStr) print("Process ID: %d (0x%x)" % (pid, pid)) if path: print("Host filename: %s" % path)