def get_filepath(self):
"""Get process image file path.
@return: decoded file path.
"""
if not self.h_process:
self.open()
NT_SUCCESS = lambda val: val >= 0
pbi = create_string_buffer(200)
size = c_int()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(self.h_process, 27, byref(pbi),
sizeof(pbi), byref(size))
if NT_SUCCESS(ret) and size.value > 8:
try:
fbuf = pbi.raw[8:]
fbuf = fbuf[:fbuf.find('\0\0') + 1]
return fbuf.decode('utf16', errors="ignore")
except:
return ""
return ""
def get_filepath(self):
"""Get process image file path.
@return: decoded file path.
"""
process_handle = self.open_process()
NT_SUCCESS = lambda val: val >= 0
pbi = create_string_buffer(200)
size = c_int()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(process_handle, 27, byref(pbi),
sizeof(pbi), byref(size))
KERNEL32.CloseHandle(process_handle)
if NT_SUCCESS(ret) and size.value > 8:
try:
fbuf = pbi.raw[8:]
fbuf = fbuf[:fbuf.find("\x00\x00") + 1]
return fbuf.decode("utf16", errors="ignore")
except:
return ""
return ""
def get_filepath(self):
"""Get process image file path.
@return: decoded file path.
"""
if not self.h_process:
self.open()
pbi = create_string_buffer(530)
size = c_int()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(self.h_process, 27, byref(pbi),
sizeof(pbi), byref(size))
if NT_SUCCESS(ret) and size.value > 8:
try:
fbuf = pbi.raw[8:]
fbuf = fbuf[:fbuf.find(b"\0\0") + 1]
return fbuf.decode("utf16", errors="ignore")
except Exception as e:
log.info(e)
return ""
def get_parent_pid(self):
"""Get the Parent Process ID."""
class PROCESS_BASIC_INFORMATION(Structure):
_fields_ = [
("ExitStatus", c_void_p),
("PebBaseAddress", c_void_p),
("AffinityMask", c_void_p),
("BasePriority", c_void_p),
("UniqueProcessId", c_void_p),
("InheritedFromUniqueProcessId", c_void_p),
]
NT_SUCCESS = lambda val: val >= 0
pbi = PROCESS_BASIC_INFORMATION()
size = c_int()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
process_handle = self.open_process()
ret = NTDLL.NtQueryInformationProcess(
process_handle, 0, byref(pbi), sizeof(pbi), byref(size)
)
KERNEL32.CloseHandle(process_handle)
if NT_SUCCESS(ret) and size.value == sizeof(pbi):
return pbi.InheritedFromUniqueProcessId
def is_critical(self):
"""Determines if process is 'critical' or not, so we can prevent terminating it"""
if not self.h_process:
self.open()
val = c_ulong(0)
retlen = c_ulong(0)
ret = NTDLL.NtQueryInformationProcess(self.h_process, 29, byref(val), sizeof(val), byref(retlen))
if NT_SUCCESS(ret) and val.value:
return True
return False
def get_parent_pid(self):
"""Get the Parent Process ID."""
if not self.h_process:
self.open()
pbi = (ULONG_PTR * 6)()
size = c_ulong()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(self.h_process, 0, byref(pbi), sizeof(pbi), byref(size))
if NT_SUCCESS(ret) and size.value == sizeof(pbi):
return pbi[5]
return None
def get_parent_pid(self):
"""Get the Parent Process ID."""
process_handle = self.open_process()
NT_SUCCESS = lambda val: val >= 0
pbi = (c_int * 6)()
size = c_int()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(process_handle, 0, byref(pbi),
sizeof(pbi), byref(size))
KERNEL32.CloseHandle(process_handle)
if NT_SUCCESS(ret) and size.value == sizeof(pbi):
return pbi[5]
return None
