def main(): pid = int(sys.argv[1]) proc = Process(pid) #= info print "pid;", proc.get_pid() print "is_alive;", proc.is_alive() print "is_debugged;", proc.is_debugged() print "is_wow;", proc.is_wow64() print "arch;", proc.get_arch() print "bits;", proc.get_bits() print "filename:", proc.get_filename() print "exit_time;", proc.get_exit_time() print "running_time;", proc.get_running_time() print "service;", proc.get_services() print "policy;", proc.get_dep_policy() print "peb;", proc.get_peb() print "main_module;", proc.get_main_module() print "peb_address", proc.get_peb_address() print "entry_point;", proc.get_entry_point() print "image_base;", proc.get_image_base() print "image_name;", proc.get_image_name() print "command_line;", proc.get_command_line() print "environment;", proc.get_environment() print "handle;", proc.get_handle() print "resume;",proc.resume()
def search_string(pid, func, size): process = Process(pid) print "get_image_base:", hex(process.get_image_base()) print "get_main_module:", process.get_main_module() dosheader = process.read(process.get_image_base(), 100) print ''.join(["%02X " % ord(x) for x in dosheader]).strip() sys.exit(0) search_dll, search_func = _split_dll_func(func) print search_dll, ":", search_func if search_dll is None or search_func is None: print "%s not found!" % arg sys.exit(-1) dict = {} for file, file_addr in process.get_modules(): if ismatch(file, ".*" + search_dll + "$") or ismatch( file, ".*" + search_dll + ".dll$"): print file, " : ", hex(file_addr), " (", file_addr, ")" return ""
def proces_info(pid, addr=""): x = int(addr, 16) process = Process(pid) print "get_arch:", process.get_arch() print "get_bits:", process.get_bits() # print "get_main_module:", process.get_main_module() print "get_command_line:", process.get_command_line() print "get_image_name:", (process.get_image_name()) print "get_image_base:", hex(process.get_image_base()) print "get_peb:", hex(process.get_peb().ImageBaseAddress) print "get_peb_address:", hex(process.get_peb_address()) print "get_entry_point:", hex(process.get_entry_point())