def get_filepath(self): """Get process image file path. @return: decoded file path. """ if not self.h_process: self.open() NT_SUCCESS = lambda val: val >= 0 pbi = create_string_buffer(200) size = c_int() # Set return value to signed 32bit integer. NTDLL.NtQueryInformationProcess.restype = c_int ret = NTDLL.NtQueryInformationProcess(self.h_process, 27, byref(pbi), sizeof(pbi), byref(size)) if NT_SUCCESS(ret) and size.value > 8: try: fbuf = pbi.raw[8:] fbuf = fbuf[:fbuf.find('\0\0') + 1] return fbuf.decode('utf16', errors="ignore") except: return "" return ""
def get_filepath(self): """Get process image file path. @return: decoded file path. """ process_handle = self.open_process() NT_SUCCESS = lambda val: val >= 0 pbi = create_string_buffer(200) size = c_int() # Set return value to signed 32bit integer. NTDLL.NtQueryInformationProcess.restype = c_int ret = NTDLL.NtQueryInformationProcess(process_handle, 27, byref(pbi), sizeof(pbi), byref(size)) KERNEL32.CloseHandle(process_handle) if NT_SUCCESS(ret) and size.value > 8: try: fbuf = pbi.raw[8:] fbuf = fbuf[:fbuf.find("\x00\x00") + 1] return fbuf.decode("utf16", errors="ignore") except: return "" return ""
def get_filepath(self): """Get process image file path. @return: decoded file path. """ if not self.h_process: self.open() pbi = create_string_buffer(530) size = c_int() # Set return value to signed 32bit integer. NTDLL.NtQueryInformationProcess.restype = c_int ret = NTDLL.NtQueryInformationProcess(self.h_process, 27, byref(pbi), sizeof(pbi), byref(size)) if NT_SUCCESS(ret) and size.value > 8: try: fbuf = pbi.raw[8:] fbuf = fbuf[:fbuf.find(b"\0\0") + 1] return fbuf.decode("utf16", errors="ignore") except Exception as e: log.info(e) return ""
def get_parent_pid(self): """Get the Parent Process ID.""" class PROCESS_BASIC_INFORMATION(Structure): _fields_ = [ ("ExitStatus", c_void_p), ("PebBaseAddress", c_void_p), ("AffinityMask", c_void_p), ("BasePriority", c_void_p), ("UniqueProcessId", c_void_p), ("InheritedFromUniqueProcessId", c_void_p), ] NT_SUCCESS = lambda val: val >= 0 pbi = PROCESS_BASIC_INFORMATION() size = c_int() # Set return value to signed 32bit integer. NTDLL.NtQueryInformationProcess.restype = c_int process_handle = self.open_process() ret = NTDLL.NtQueryInformationProcess( process_handle, 0, byref(pbi), sizeof(pbi), byref(size) ) KERNEL32.CloseHandle(process_handle) if NT_SUCCESS(ret) and size.value == sizeof(pbi): return pbi.InheritedFromUniqueProcessId
def is_critical(self): """Determines if process is 'critical' or not, so we can prevent terminating it""" if not self.h_process: self.open() val = c_ulong(0) retlen = c_ulong(0) ret = NTDLL.NtQueryInformationProcess(self.h_process, 29, byref(val), sizeof(val), byref(retlen)) if NT_SUCCESS(ret) and val.value: return True return False
def get_parent_pid(self): """Get the Parent Process ID.""" if not self.h_process: self.open() pbi = (ULONG_PTR * 6)() size = c_ulong() # Set return value to signed 32bit integer. NTDLL.NtQueryInformationProcess.restype = c_int ret = NTDLL.NtQueryInformationProcess(self.h_process, 0, byref(pbi), sizeof(pbi), byref(size)) if NT_SUCCESS(ret) and size.value == sizeof(pbi): return pbi[5] return None
def get_parent_pid(self): """Get the Parent Process ID.""" process_handle = self.open_process() NT_SUCCESS = lambda val: val >= 0 pbi = (c_int * 6)() size = c_int() # Set return value to signed 32bit integer. NTDLL.NtQueryInformationProcess.restype = c_int ret = NTDLL.NtQueryInformationProcess(process_handle, 0, byref(pbi), sizeof(pbi), byref(size)) KERNEL32.CloseHandle(process_handle) if NT_SUCCESS(ret) and size.value == sizeof(pbi): return pbi[5] return None