def test(): def open_process(pid): h_process = kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, pid) # print("0x{:016X}".format(h_process)) if not h_process: print(WinError(GetLastError())) return False return h_process set_debug_privilege() pid = input("pid: ") snapshot = kernel32.CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, int(pid)) lpme = MODULEENTRY32() lpme.dwSize = sizeof(lpme) res = kernel32.Module32First(snapshot, byref(lpme)) address = None while res: if lpme.th32ProcessID == int(pid): if lpme.szModule == b"msctf.dll" or lpme.szModule == b"msvcrt.dll": print("PID: ", lpme.th32ProcessID) print("MID: ", lpme.th32ModuleID) # print("MODULE_ADDRESS 0x{:016X}".format(lpme.modBaseAddr)) print("MODULE_SIZE: ", lpme.modBaseSize) print("MODULE_NAME: ", lpme.szModule) print("MODULE_PATH: ", lpme.szExePath) address = lpme.modBaseAddr res = kernel32.Module32Next(snapshot, byref(lpme)) h_process = open_process(int(pid)) if not h_process: print(WinError(GetLastError())) exit() p_address = cast(address, POINTER(BYTE)) page_info = get_page_info(h_process, p_address) if not page_info: print(WinError(GetLastError())) exit() show_protection(page_info.Protect) old_protect = set_page_protection(h_process, p_address, page_info.RegionSize, PAGE_EXECUTE_READWRITE) if not old_protect: print(WinError(GetLastError())) exit() page_info = get_page_info(h_process, p_address) if not page_info: print(WinError(GetLastError())) exit() show_protection(page_info.Protect)
import copy from ctypes import * from ctypes import wintypes from defines import * from privilege import set_debug_privilege kernel32 = windll.kernel32 set_debug_privilege() def to_dict(lpme): return dict((field, getattr(lpme, field)) for field, _ in lpme._fields_) def enum_modules(pid): module_list = [] snapshot = kernel32.CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, int(pid)) lpme = MODULEENTRY32() lpme.dwSize = sizeof(lpme) res = kernel32.Module32First(snapshot, byref(lpme)) while res: if lpme.th32ProcessID == int(pid): module_list.append(to_dict(lpme)) # print("PID: ", lpme.th32ProcessID) # print("MID: ", lpme.th32ModuleID) # print("MODULE_NAME: ", lpme.szModule) # print("MODULE_PATH: ", lpme.szExePath) res = kernel32.Module32Next(snapshot, byref(lpme)) return module_list
from ctypes import * from ctypes import wintypes from defines import * from privilege import set_debug_privilege from prompt import Prompt from debugger import Debugger if set_debug_privilege(): print("[*] enabled debug privilege") else: print("[!!] Can't enable to debug privilege!")