def execute(self, path, args=None, suspended=False, kernel_analysis=False): """Execute sample process. @param path: sample path. @param args: process args. @param suspended: is suspended. @return: operation status. """ if not os.access(path, os.X_OK): log.error( 'Unable to access file at path "%s", ' "execution aborted", path) return False startup_info = STARTUPINFO() startup_info.cb = sizeof(startup_info) # STARTF_USESHOWWINDOW startup_info.dwFlags = 1 # SW_SHOWNORMAL startup_info.wShowWindow = 1 process_info = PROCESS_INFORMATION() arguments = '"' + path + '" ' if args: arguments += args creation_flags = CREATE_NEW_CONSOLE if suspended: self.suspended = True creation_flags += CREATE_SUSPENDED created = KERNEL32.CreateProcessW(path, arguments, None, None, None, creation_flags, None, os.getenv("TEMP"), byref(startup_info), byref(process_info)) if created: self.pid = process_info.dwProcessId self.h_process = process_info.hProcess self.thread_id = process_info.dwThreadId self.h_thread = process_info.hThread log.info( 'Successfully executed process from path "%s" with ' 'arguments "%s" with pid %d', path, args or "", self.pid) if kernel_analysis: return self.kernel_analyze() return True else: log.error( 'Failed to execute process from path "%s" with ' 'arguments "%s" (Error: %s)', path, args, get_error_string(KERNEL32.GetLastError()), ) return False
def execute(self, path, args=None, suspended=False, kernel_analysis=False): """Execute sample process. @param path: sample path. @param args: process args. @param suspended: is suspended. @return: operation status. """ if not os.access(path, os.X_OK): log.error("Unable to access file at path \"%s\", " "execution aborted", path) return False startup_info = STARTUPINFO() startup_info.cb = sizeof(startup_info) # STARTF_USESHOWWINDOW startup_info.dwFlags = 1 # SW_SHOWNORMAL startup_info.wShowWindow = 1 process_info = PROCESS_INFORMATION() arguments = "\"" + path + "\" " if args: arguments += args creation_flags = CREATE_NEW_CONSOLE if suspended: self.suspended = True creation_flags += CREATE_SUSPENDED created = KERNEL32.CreateProcessA(path, arguments, None, None, None, creation_flags, None, os.getenv("TEMP"), byref(startup_info), byref(process_info)) if created: self.pid = process_info.dwProcessId self.h_process = process_info.hProcess self.thread_id = process_info.dwThreadId self.h_thread = process_info.hThread log.info("Successfully executed process from path \"%s\" with " "arguments \"%s\" with pid %d", path, args or "", self.pid) if kernel_analysis: return self.kernel_analyze() return True else: log.error("Failed to execute process from path \"%s\" with " "arguments \"%s\" (Error: %s)", path, args, get_error_string(KERNEL32.GetLastError())) return False
def create_monitored_process(self, process_path, args=""): """ Creating a new process to monitor by the driver. The process will be created in suspended mode, then after the PID will be sent to the driver for further monitoring. When the driver is done initializing, the process can be resumed. Parameters: process_path (string), the path of the process to create, unicode string. args (unicode), additional arguments to provide to the process Return value: list of process parameters: (h_process, h_thread, pid, tid) """ # Initializations startup_info = STARTUPINFO() startup_info.cb = sizeof(startup_info) startup_info.dwFlags = win32process.STARTF_USESHOWWINDOW startup_info.wShowWindow = win32con.SW_NORMAL KERNEL32.CreateProcessW.errcheck = self.errcheck # assign a callable process_info = PROCESS_INFORMATION() creation_flags = CREATE_NEW_CONSOLE | CREATE_SUSPENDED # Create new process (UNICODE) success = KERNEL32.CreateProcessW(None, "%s %s" % (process_path, args), None, None, None, creation_flags, None, None, # Starting path? ctypes.byref(startup_info), ctypes.byref(process_info)) # Data h_process, h_thread, pid, tid = process_info.hProcess, process_info.hThread, process_info.dwProcessId, process_info.dwThreadId, pid = self._check_preloaded_pid(pid) # Hack to monitor first pid - this process try: self._send_ioctl(self._driver_communication_device, self._ioctl_monitor, str(pid)) pass except Exception, e: error_code = KERNEL32.GetLastError() log.error("Failed monitoring, GLE: [%d]-[%s]", error_code, get_error_string(error_code)) log.error(str(e)) return (False, h_process, h_thread, pid, tid)
def execute(self, path, args=None, suspended=False, kernel_analysis=False): """Execute sample process. @param path: sample path. @param args: process args. @param suspended: is suspended. @return: operation status. """ if not os.access(path, os.X_OK): log.error('Unable to access file at path "%s", execution aborted', path) return False startup_info = STARTUPINFO() startup_info.cb = sizeof(startup_info) # STARTF_USESHOWWINDOW startup_info.dwFlags = 1 # SW_SHOWNORMAL startup_info.wShowWindow = 1 process_info = PROCESS_INFORMATION() arguments = f'"{path}" ' if args: arguments += args creation_flags = CREATE_NEW_CONSOLE if suspended: self.suspended = True creation_flags += CREATE_SUSPENDED # Use the custom execution directory if provided, otherwise launch in the same location # where the sample resides (default %TEMP%) if "executiondir" in self.options.keys(): execution_directory = self.options["executiondir"] elif "curdir" in self.options.keys(): execution_directory = self.options["curdir"] else: execution_directory = os.getenv("TEMP") # Try to create the custom directories so that the execution path is deemed valid create_custom_folders(execution_directory) created = KERNEL32.CreateProcessW(path, arguments, None, None, None, creation_flags, None, execution_directory, byref(startup_info), byref(process_info)) if created: self.pid = process_info.dwProcessId self.h_process = process_info.hProcess self.thread_id = process_info.dwThreadId self.h_thread = process_info.hThread log.info( 'Successfully executed process from path "%s" with arguments "%s" with pid %d', path, args or "", self.pid) if kernel_analysis: return self.kernel_analyze() return True else: log.error( 'Failed to execute process from path "%s" with arguments "%s" (Error: %s)', path, args, get_error_string(KERNEL32.GetLastError()), ) return False