Exemplo n.º 1
0
 def add_tracked_pid(self, pid):
     #Initiate driver's state and communication mecanisms
     BytesReturned = DWORD(0)
     pid = DWORD(pid)
     success = KERNEL32.DeviceIoControl(self.hdevice, IOCTL_ADD_TRACKED,
                                        ctypes.byref(pid),
                                        ctypes.sizeof(pid), NULL, 0,
                                        ctypes.byref(BytesReturned), 0)
     if not (success):
         self.log.error("DeviceIoControl failed")
         raise UnpackerException("DeviceIoControl failed")
Exemplo n.º 2
0
    def run(self):
        """Run capturing of usage info.
        @return: operation status.
        """

        meminfo = MEMORYSTATUSEX()
        meminfo.dwLength = sizeof(MEMORYSTATUSEX)

        phquery = PVOID()
        PDH.PdhOpenQuery(None, None, byref(phquery))
        buflen = DWORD()
        buflen.value = 0
        PDH.PdhExpandWildCardPathA(None, "\\Processor(*)\\% Processor Time",
                                   None, byref(buflen), 0)
        buf = create_string_buffer(buflen.value + 1)
        PDH.PdhExpandWildCardPathA(None, "\\Processor(*)\\% Processor Time",
                                   buf, byref(buflen), 0)
        counters = buf.raw.rstrip(b"\x00").split(b"\x00")
        counter_handles = []
        for counter in counters:
            if b"_Total" in counter:
                continue
            phcounter = PVOID()
            PDH.PdhAddCounterA(phquery, counter, None, byref(phcounter))
            counter_handles.append(phcounter)

        nf = NetlogFile()
        nf.init("aux/usage.log")

        PDH.PdhCollectQueryData(phquery)

        while self.do_run:
            time.sleep(2)
            PDH.PdhCollectQueryData(phquery)
            usage = PDH_FMT_COUNTERVALUE()
            bigfloat = 0.0
            for counter_handle in counter_handles:
                PDH.PdhGetFormattedCounterValue(counter_handle, PDH_FMT_DOUBLE,
                                                None, byref(usage))
                if usage.doubleValue > bigfloat:
                    bigfloat = usage.doubleValue

            KERNEL32.GlobalMemoryStatusEx(byref(meminfo))
            usagedata = b"%d %d\n" % (meminfo.dwMemoryLoad, round(bigfloat))
            nf.send(usagedata)

        for counter_handle in counter_handles:
            PDH.PdhRemoveCounter(counter_handle)
        PDH.PdhCloseQuery(phquery)

        nf.close()

        return True
Exemplo n.º 3
0
    def run(self):
        """Run capturing of usage info.
        @return: operation status.
        """

        meminfo = MEMORYSTATUSEX()
        meminfo.dwLength = sizeof(MEMORYSTATUSEX)

        phquery = PVOID()
        PDH.PdhOpenQuery(None, None, byref(phquery))
        buflen = DWORD()
        buflen.value = 0
        PDH.PdhExpandWildCardPathA(None, "\\Processor(*)\\% Processor Time", None, byref(buflen), 0)
        buf = create_string_buffer(buflen.value + 1)
        PDH.PdhExpandWildCardPathA(None, "\\Processor(*)\\% Processor Time", buf, byref(buflen), 0)
        counters = buf.raw.rstrip("\x00").split("\x00")
        counter_handles = []
        for counter in counters:
            if "_Total" in counter:
                continue
            phcounter = PVOID()
            PDH.PdhAddCounterA(phquery, counter, None, byref(phcounter))
            counter_handles.append(phcounter)

        nf = NetlogFile("aux/usage.log")

        PDH.PdhCollectQueryData(phquery)

        while self.do_run:
            time.sleep(2)
            PDH.PdhCollectQueryData(phquery)
            usage = PDH_FMT_COUNTERVALUE()
            bigfloat = 0.0
            for counter_handle in counter_handles:
                PDH.PdhGetFormattedCounterValue(counter_handle, PDH_FMT_DOUBLE, None, byref(usage))
                if usage.doubleValue > bigfloat:
                    bigfloat = usage.doubleValue

            KERNEL32.GlobalMemoryStatusEx(byref(meminfo))
            usagedata = "%d %d\n" % (meminfo.dwMemoryLoad, round(bigfloat))
            nf.sock.sendall(usagedata)

        for counter_handle in counter_handles:
            PDH.PdhRemoveCounter(counter_handle)
        PDH.PdhCloseQuery(phquery)

        nf.close()

        return True
        
Exemplo n.º 4
0
    def run(self, waiting_time):

        # Open driver device
        self.hdevice = KERNEL32.CreateFileA(self.device_name,
                                            GENERIC_READ | GENERIC_WRITE, 0,
                                            None, OPEN_EXISTING, 0, None)
        if self.hdevice == INVALID_HANDLE_VALUE:
            self.log.error("CreateFileA failed with error : 0x%x" %
                           KERNEL32.GetLastError())
            quit()

        self.log.info("Driver device file opened, handle = %x" % self.hdevice)

        #todo : build command line
        self.process = Process(self.command_line, self.log)

        self.process.create_suspended()

        self.pre_run()

        self.log.info("Target process handle value is 0x%x" %
                      self.process.process_handle)

        self.thread_running = True
        thread = Thread(target=self.pipe_reader_thread, args=())

        #Create an unpack event which will be signaled when the
        self.hUnpackEvent = KERNEL32.CreateEventA(NULL, 0, 0, "DaEvent")
        self.UserlandNotidyEvent = KERNEL32.CreateEventA(
            NULL, 0, 0, "UserlandNotidyEvent")

        #Struct sent to the driver
        MyPidStruct = PID_STRUCT()
        MyPidStruct.do_log = self.kernel_log
        MyPidStruct.RWEPolicy = self.rwe_policy
        MyPidStruct.InitialNXState = self.initial_nx_state
        MyPidStruct.UserlandNotidyEvent = self.UserlandNotidyEvent
        MyPidStruct.TargetProcessHandle = self.process.process_handle

        #Initiate driver's state and communication mecanisms
        BytesReturned = DWORD(0)
        success = KERNEL32.DeviceIoControl(self.hdevice, IOCTL_SETUP_STUFF,
                                           ctypes.byref(MyPidStruct),
                                           ctypes.sizeof(MyPidStruct), NULL, 0,
                                           ctypes.byref(BytesReturned), 0)
        if not (success):
            self.log.error("DeviceIoControl failed")
            raise UnpackerException("DeviceIoControl failed")

        thread.start()

        #Resume main process thtread
        self.process.resume()
        self.log.info("Main thread resumed")

        #Wait for unpacking to terminate
        r = KERNEL32.WaitForSingleObject(self.hUnpackEvent,
                                         self.max_unpack_time)
        if (r == WAIT_ABANDONED):
            self.log.error("Wait abandoned, something went wrong")
            raise UnpackerException("Wait abandoned, something went wrong")

        if (r == WAIT_TIMEOUT):
            self.log.info("Wait timed out")
            self.log.info("Thread suspended")

        if (r == WAIT_OBJECT_0):
            self.log.info("Event signaled")

        BytesReturned = DWORD(0)
        success = KERNEL32.DeviceIoControl(self.hdevice, IOCTL_SUSPEND_TRACKED,
                                           NULL, 0, NULL, 0,
                                           ctypes.byref(BytesReturned), 0)
        if not (success):
            self.log.error("DeviceIoControl failed")
            raise UnpackerException("DeviceIoControl failed")

        self.thread_running = False

        result = self.post_treatment()

        BytesReturned = DWORD(0)
        success = KERNEL32.DeviceIoControl(self.hdevice,
                                           IOCTL_UNTRACK_AND_RESUME_PROCESSES,
                                           NULL, 0, NULL, 0,
                                           ctypes.byref(BytesReturned), 0)
        if not (success):
            self.log.error("DeviceIoControl failed")
            raise UnpackerException("DeviceIoControl failed")

        BytesReturned = DWORD(0)
        success = KERNEL32.DeviceIoControl(self.hdevice, IOCTL_CLEANUP, NULL,
                                           0, NULL, 0,
                                           ctypes.byref(BytesReturned), 0)
        if not (success):
            self.log.error("DeviceIoControl failed")
            raise UnpackerException("DeviceIoControl failed")

        KERNEL32.CloseHandle(self.hdevice)
        KERNEL32.CloseHandle(self.UserlandNotidyEvent)

        self.process.terminate()

        KERNEL32.ExitProcess(0)
Exemplo n.º 5
0
    def pipe_reader_thread(self):

        evt_header = EVENT_HEADER()
        nbRead = DWORD(0)

        while (self.thread_running):

            valid_object = True

            #Wait for the driver to signal an event is ready for retrieval
            r = KERNEL32.WaitForSingleObject(self.UserlandNotidyEvent,
                                             INFINITE)
            if (r == WAIT_OBJECT_0):

                #An event has arrived, request it to the driver
                ReceiveBuffer = ctypes.create_string_buffer(1024)
                BytesReturned = DWORD(0)
                success = KERNEL32.DeviceIoControl(
                    self.hdevice, IOCTL_RETRIEVE_EXCEPTION, NULL, 0,
                    ctypes.byref(ReceiveBuffer), ctypes.sizeof(ReceiveBuffer),
                    ctypes.byref(BytesReturned), 0)
                if not (success):
                    self.log.error("DeviceIoControl failed")
                    raise UnpackerException("DeviceIoControl failed")

                header_size = ctypes.sizeof(EVENT_HEADER)

                #Ensure there is a header
                if (BytesReturned.value < header_size):
                    self.log.error(
                        "Did not receive enough data from driver (%d bytes)" %
                        BytesReturned.value)
                    continue

                #Copy the data in a EVENT_HEADER object
                ctypes.memmove(ctypes.addressof(evt_header),
                               ReceiveBuffer[0:header_size], header_size)

                #Ensure it is a known event
                if not (Events.has_key(evt_header.event_type)):
                    self.log.error("Received unknown event with type : %d" %
                                   evt_header.event_type)
                    continue

                #Ensure the object fits in the buffer
                n_remaining_bytes = BytesReturned.value - header_size

                event_class = Events[evt_header.event_type]

                if (n_remaining_bytes != ctypes.sizeof(event_class)):
                    self.log.error(
                        "Wrong event size. Received %d bytes, expected %d bytes"
                        % (n_remaining_bytes, ctypes.sizeof(event_class)))
                    continue

                event_obj = event_class()

                # "cast" the buffer in the appropriate event class
                ctypes.memmove(ctypes.addressof(event_obj),
                               ReceiveBuffer[header_size:],
                               ctypes.sizeof(event_class))

                #call the user defined event handler
                result = self.event_handler(evt_header.event_type, event_obj)
                if (result == 0):
                    self.stop()
                    return